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ETAPS Foreword 


Welcome to the 26th ETAPS! ETAPS 2023 took place in Paris, the beautiful capital of 
France. ETAPS 2023 was the 26th instance of the European Joint Conferences on 
Theory and Practice of Software. ETAPS is an annual federated conference established 
in 1998, and consists of four conferences: ESOP, FASE, FoSSaCS, and TACAS. Each 
conference has its own Program Committee (PC) and its own Steering Committee 
(SC). The conferences cover various aspects of software systems, ranging from theo- 
retical computer science to foundations of programming languages, analysis tools, and 
formal approaches to software engineering. Organising these conferences in a coherent, 
highly synchronized conference programme enables researchers to participate in an 
exciting event, having the possibility to meet many colleagues working in different 
directions in the field, and to easily attend talks of different conferences. On the 
weekend before the main conference, numerous satellite workshops took place that 
attracted many researchers from all over the globe. 

ETAPS 2023 received 361 submissions in total, 124 of which were accepted, 
yielding an overall acceptance rate of 34.3%. I thank all the authors for their interest in 
ETAPS, all the reviewers for their reviewing efforts, the PC members for their con- 
tributions, and in particular the PC (co-)chairs for their hard work in running this entire 
intensive process. Last but not least, my congratulations to all authors of the accepted 
papers! 

ETAPS 2023 featured the unifying invited speakers Véronique Cortier (CNRS, 
LORIA laboratory, France) and Thomas A. Henzinger (Institute of Science and 
Technology, Austria) and the conference-specific invited speakers Mooly Sagiv (Tel 
Aviv University, Israel) for ESOP and Sven Apel (Saarland University, Germany) for 
FASE. Invited tutorials were provided by Ana-Lucia Varbanescu (University of 
Twente and University of Amsterdam, The Netherlands) on heterogeneous computing 
and Joost-Pieter Katoen (RWTH Aachen, Germany and University of Twente, The 
Netherlands) on probabilistic programming. 

As part of the programme we had the second edition of TOOLympics, an event to 
celebrate the achievements of the various competitions or comparative evaluations in 
the field of ETAPS. 

ETAPS 2023 was organized jointly by Sorbonne Université and Université 
Sorbonne Paris Nord. Sorbonne Université (SU) is a _ multidisciplinary, 
research-intensive and worldclass academic institution. It was created in 2018 as the 
merge of two first-class research-intensive universities, UPMC (Université Pierre and 
Marie Curie) and Paris-Sorbonne. SU has three faculties: humanities, medicine, and 
55,600 students (4,700 PhD students; 10,200 international students), 6,400 teachers, 
professor-researchers and 3,600 administrative and technical staff members. Université 
Sorbonne Paris Nord is one of the thirteen universities that succeeded the University of 
Paris in 1968. It is a major teaching and research center located in the north of Paris. It 
has five campuses, spread over the two departments of Seine-Saint-Denis and Val 
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d’Oise: Villetaneuse, Bobigny, Saint-Denis, the Plaine Saint-Denis and Argenteuil. The 
university has more than 25,000 students in different fields, such as health, medicine, 
languages, humanities, and science. The local organization team consisted of Fabrice 
Kordon (general co-chair), Laure Petrucci (general co-chair), Benedikt Bollig (work- 
shops), Stefan Haar (workshops), Etienne André (proceedings and tutorials), Céline 
Ghibaudo (sponsoring), Denis Poitrenaud (web), Stefan Schwoon (web), Benoit Barbot 
(publicity), Nathalie Sznajder (publicity), Anne-Marie Reytier (communication), 
Hélène Pétridis (finance) and Véronique Criart (finance). 

ETAPS 2023 is further supported by the following associations and societies: 
ETAPS e.V., EATCS (European Association for Theoretical Computer Science), 
EAPLS (European Association for Programming Languages and Systems), EASST 
(European Association of Software Science and Technology), Lip6 (Laboratoire 
d'Informatique de Paris 6), LIPN (Laboratoire d'informatique de Paris Nord), Sorbonne 
Université, Université Sorbonne Paris Nord, CNRS (Centre national de la recherche 
scientifique), CEA (Commissariat a l'énergie atomique et aux énergies alternatives), 
LMF (Laboratoire méthodes formelles), and Inria (Institut national de recherche en 
informatique et en automatique). 

The ETAPS Steering Committee consists of an Executive Board, and representa- 
tives of the individual ETAPS conferences, as well as representatives of EATCS, 
EAPLS, and EASST. The Executive Board consists of Holger Hermanns (Saar- 
briicken), Marieke Huisman (Twente, chair), Jan Kofron (Prague), Barbara König 
(Duisburg), Thomas Noll (Aachen), Caterina Urban (Inria), Jan Křetínský (Munich), 
and Lenore Zuck (Chicago). 

Other members of the steering committee are: Dirk Beyer (Munich), Luis Caires 
(Lisboa), Ana Cavalcanti (York), Bernd Finkbeiner (Saarland), Reiko Heckel 
(Leicester), Joost-Pieter Katoen (Aachen and Twente), Naoki Kobayashi (Tokyo), 
Fabrice Kordon (Paris), Laura Kovacs (Vienna), Orna Kupferman (Jerusalem), Leen 
Lambers (Cottbus), Tiziana Margaria (Limerick), Andrzej Murawski (Oxford), Laure 
Petrucci (Paris), Elizabeth Polgreen (Edinburgh), Peter Ryan (Luxembourg), Sriram 
Sankaranarayanan (Boulder), Don Sannella (Edinburgh), Natasha Sharygina (Lugano), 
Pawel Sobocinski (Tallinn), Sebastian Uchitel (London and Buenos Aires), Andrzej 
Wasowski (Copenhagen), Stephanie Weirich (Pennsylvania), Thomas Wies (New 
York), Anton Wijs (Eindhoven), and James Worrell (Oxford). 

I would like to take this opportunity to thank all authors, keynote speakers, atten- 
dees, organizers of the satellite workshops, and Springer-Verlag GmbH for their 
support. I hope you all enjoyed ETAPS 2023. 

Finally, a big thanks to Laure and Fabrice and their local organization team for all 
their enormous efforts to make ETAPS a fantastic event. 


April 2023 Marieke Huisman 
ETAPS SC Chair 
ETAPS e.V. President 


Preface 


This volume contains the papers presented at the 26th International Conference on 
Foundations of Software Science and Computation Structures (FoSSaCS 2023), which 
was held 24-27 April, 2023, in Paris, France. The conference is dedicated to foun- 
dational research with a clear significance for software science and brings together 
research on theories and methods to support the analysis, integration, synthesis, 
transformation, and verification of programs and software systems. 

The program consisted of 26 contributed papers, selected from among 85 submis- 
sions. Each submission was assessed by three or more Program Committee members. 
The conference management system EasyChair was used to handle the submissions, to 
conduct the electronic Program Committee discussions, and to assist with the assembly 
of the proceedings. 

We wish to thank all the authors who submitted papers for consideration, the 
members of the Program Committee for their conscientious work, and all additional 
reviewers who assisted the Program Committee in the evaluation process. Finally, we 
would like to thank the ETAPS organization for providing an excellent environment for 
FoSSaCsS, other conferences, and workshops. 
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When Programs Have to Watch Paint Dry 


Danel Ahman‘&) 


Faculty of Mathematics and Physics, University of Ljubljana, Ljubljana, Slovenia 
danel.ahman@fmf.uni-1j.si 


Abstract. We explore type systems and programming abstractions for 
the safe usage of resources. In particular, we investigate how to use types 
to modularly specify and check when programs are allowed to use their 
resources, e.g., when programming a robot arm on a production line, it 
is crucial that painted parts are given enough time to dry before assem- 
bly. We capture such temporal resources using a time-graded variant of 
Fitch-style modal type systems, develop a corresponding modally typed, 
effectful core calculus, and equip it with a graded-monadic denotational 
semantics illustrated by a concrete presheaf model. Our calculus also in- 
cludes graded algebraic effects and effect handlers. They are given a novel 
temporally aware treatment in which operations’ specifications include 
their execution times and their continuations know that an operation’s 
worth of additional time has passed before they start executing, making 
it possible to safely access further temporal resources in them. 


Keywords: Temporal resources - Modal types - Graded monads - 
Algebraic effects - Effect handlers. 


1 Introduction 


The correct usage of resources is at the heart of many programs, especially if 
they control safety-critical machinery. Such resources can take many different 
forms: ensuring that file handles are not arbitrarily duplicated or discarded (as 
captured by linear and uniqueness types) [11,25,40], or guaranteeing that com- 
munication happens according to protocols (as specified by session types) [30,70], 
or controlling how data is laid out in memory (as in Hoare and separation log- 
ics) [2,34,56,64], or assuring that resources are correctly finalised [1,43]. 

In contrast to the above approaches that predominantly focus on how re- 
sources are used, we study how to modularly specify and verify when programs 
can use their resources—we call such resources temporal. For instance, consider 
the following code snippet controlling a robot arm on a (car) production line: 


let (body’, left-door’, right-door’) = paint (body, left-door, right-door) in 
assemble (body’, left-door’, right-door’) 


Here, the correct execution of the program (and thus operation of the robot 
arm it is controlling) relies on the car parts given enough time to dry between 
painting and assembly. Therefore, in its current form, the above code is correct 


© The Author(s) 2023 
O. Kupferman and P. Sobocinski (Eds.): FoSSaCS 2023, LNCS 13992, pp. 1-23, 2023. 
https: //doi.org/10.1007/978-3-031-30829-1 1 
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only if a compiler (or a scheduler) inserts enough of a time delay at compile time 
(resp. dynamically blocks program’s execution for enough time) between the calls 
to paint and assemble. However, in either case, one still faces the question of how 
to reason about the correctness of the compiled code (resp. dynamic checks). 
In this paper, we focus on developing a type system based means for reasoning 
about the temporal correctness of the code that the above-mentioned compiler 
might produce, or that a programmer might write directly when full control of 
the code is important. In particular, we had three desiderata we set out to fulfil: 


1. We did not want the delay between paint and assemble to be limited to 
just blocking execution, with the robot sitting idly while watching paint dry. 
Instead, we wanted a flexible formalism that would allow the robot to spend 
that time doing other useful work, while ensuring that enough time passes. 


2. We wanted the passage of time of program execution to be modelled within the 
type system, rather than being left to some unspecified meta-level run-time. 


3. We wanted the resulting language to give programmers the freedom to re- 
define the behaviour of operations such as paint and assemble, say, via effect 
handling |61], while respecting the operations’ temporal specifications. 


Paper Structure We achieve these goals by designing a mathematically natural 
core programming language for safe and correct programming with temporal re- 
sources: on the one hand, based on a time-graded, temporal variant of Fitch-style 
modal type systems [19,27], and on the other hand, on graded monads [35,51,67]. 

We review modal types and discuss how we use them to capture temporal 
resources in §2. In §3, we present Ajour modally typed, effectful, equationally 
presented core calculus for safe programming with temporal resources. We justify 
the design of A,-] by giving it a mathematically natural sound denotational se- 
mantics in §4, based on graded monads and adjunctions between strong monoidal 
functors, including a concrete presheaf example. In §5, we briefly discuss a spe- 
cialisation of A;-] with equations for time delays. We review related work and 
remark on future work in §6, and conclude in §7. This paper is also accompanied 
by an online appendix (https://arxiv.org/abs/2210.07738) that presents further 
details of renamings and denotational semantics that we omit in §3 and §4. 

For supplementary rigour, we have formalised the main results of §3 and 
§4 also in Agda [68], available at https://github.com/danelahman/temporal- 
resources/releases /tag/fossacs2023. Regrettably, it currently lacks (i) proofs of 
some auxiliary lemmas noted in Prop. 4 due to a bug in Agda where WITH- 
abstractions produce ill-typed terms,! and (ii) two laws of the presheaf model 
because unfolding of definitions produces unmanageably large terms for Agda. 


2 Modal Types for Temporal Resources 


We begin with an overview of (Fitch-style) modal type systems and how a time- 
graded variant of them naturally captures temporal aspects of resources. 


1 Eta-contraction is not type-preserving: https://github.com/agda/agda/issues/2732 
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2.1 (Fitch-Style) Modal Types 


A modal type system extends the types of an underlying type system with new 
modal type formers,” e.g., OX, which states that the type is to be considered and 
reasoned about in a different mode compared to X, which can take many forms. 
For instance, in Kripke’s possible worlds semantics, OX means that values of 
type X are available in all future worlds [41]; in run-time code generation, the 
type OX captures generators of X-typed code [72]; and in asynchronous and 
distributed programming, the type OX specifies mobile X -typed values [3,54,63]. 

Many different approaches to presenting modal type systems have been devel- 
oped, with one of the main culprits being the difficulty of getting the introduction 
rule for OX correct. Namely, bearing in mind Kripke’s possible worlds seman- 
tics, the introduction rule for OX must allow one to use only those hypotheses 
that also hold in all future worlds, while at the same time ensuring that the sys- 
tem still enjoys expected structural properties. Solutions to this problem have 
involved proving OX in a context containing only O1-types [62] (with a failure 
of structural properties in the naive approaches), or building a form of explicit 
substitutions into the introduction rule for OX to give the rule premise access 
to only O-types [12], or incorporating the Kripke semantics in the type system 
by explicitly indexing types with worlds [66]—see [37] for an in-depth survey. 

In this paper, we build on Fitch-style modal type systems [15,19,27,48], where 
the typing rules for OX are given with respect to another modality, af, that 
acts on contexts, resulting in a particularly pleasant type-theoretic presentation. 

As an illustrative example, in a Fitch-style modal type system corresponding 
to the modal logic S4 (whose Kripke models require the order on worlds to be 
reflexive and transitive, thus also corresponding to natural properties of time), 
the typing rules for variables and the OX type have the following form:? 


VAR SHUT OPEN 
aô ¢ I” T wH t:i xX Prt: OX 
T,z:X, I" z:X r- shtt: OX T,T' — opent: X 


Intuitively, the context modality af creates a barrier in the premise of SHUT 
so that only O-typed variables can be used from I in t, achieving the above- 
mentioned correctness goal for the introduction rule of OX. Alternatively, in the 
context of Kripke’s possible worlds semantics, one can also read the occurrences 
of the af modality as advancing the underlying world—in SHUT, t in the premise 
is typed in some future world compared to where shut t is typed at. This intuition 
will be useful to how we use a similar modality to capture the passage of time in 
A[r]- The context weakening I’, I” in OPEN ensures the admissibility of structural 
rules, and in the possible worlds reading, it intuitively expresses that if OX is 
available in some world, then X will be available in all possible future worlds. 


2 For brevity, we use the term modal type system to interchangeably refer to both 
modal type systems and natural deduction systems of (intuitionistic) modal logics. 
3 Depending on which exact modal logic one is trying to capture, the form of contexts 
used in the introduction/elimination rules can differ, see [19] for a detailed overview. 
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2.2 Modal Types for Temporal Resources 


Next, we give a high-level overview of how we use a time-graded variant of Fitch- 
style modal type systems to capture temporal properties of resources in A,,]. For 
this, we use the production line code snippet from §1 as a working example. 


A Naive Approach Before turning to modal types, a naive solution to achieve 
the desired time delay would be for paint to return the required drying time and 
for the program to delay execution for that time duration, e.g., as expressed in 


let (Tary, body’, left-door’, right-door’) = paint (body, left-door, right-door) in 
delay Tary; 
assemble (body’, left-door’, right-door’) 


It is not difficult to see that we could generalise this solution to allow performing 
other useful activities while waiting for Tary time to pass. So are we done and can 
we conclude the paper here? Well, no, because this solution puts all the burden 
for writing correct code on the shoulders of the programmer, with successful 
typechecking giving no additional guarantees that Tary indeed will have passed. 


A Temporal Resource Type Instead, inspired by Fitch-style modal type 
systems and Kripke’s possible worlds semantics of the (1-modality, we propose 
a temporal resource type, written |T] X, to specify that a value of type X will 
become available for use in at most T time units, or to put it differently, the 
boxed value of type X can be explicitly unboxed only when at least 7 time units 
have passed. Concretely, |r] X is presented by the following two typing rules: 


Box UNBOX 
TeV: xX T <S time I r-r V:[r]X Tai X eN YIT 
I } box, V : [7] X Tt unbox, V asgin N: Y! 


Above, Ts are natural numbers that count discrete time moments, and Y ! 7’ is a 
type of computations returning Y-typed values and executing in 7’ time units. 
Analogously to the context modality af of Fitch-style modal type systems, 
we introduce a similar modality on contexts, written (TY, to express that when 
typechecking a term of the form I’,(r) H V : X, we can safely assume that at 
least T time will have passed before V is accessed or executed, as in the premise 
of the Box rule. Accordingly, in UNBOX, we require that at least 7 time units 
have passed since the resource V of type |r] X was created or brought into scope, 
by typing V in the “earlier” context I’ — r (we define this operation in §3.3). 
Encapsulating temporal resources as a type gives us flexible first-class access 
to them, and allows to pack them in data structures and pass them to functions. 


Modelling Passage of Time As we see in the UNBOX rule, we can unbox a 
temporal resource only when enough time has passed since its creation. This begs 
the question: How can the passage of time be modelled within the type system? 
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For this, we propose a new notion of temporally aware graded algebraic effects, 
where each operation op is specified not only by its parameter and result types, 
but also by its prescribed execution time, and with op’s continuation knowing 
that op’s worth of additional time has passed before it begins executing. We refer 
the reader to [8,31,35,60] for background on ordinary (graded) algebraic effects. 
For instance, the paint operation, taking Tpaint time, is typed in Aj; as* 


I’ | V : Body x Door x Door 
i Caer T: [Tary] Body x [Tary] Door x [Tary] Door z M:X!r 
I | paint V (x. M) : X ! Tpaint + T 


Here, (Tpaint) expresses that from the perspective of any unboxes in M, an addi- 
tional Tpaint time will have passed compared to the beginning of the execution 
of paint V (x. M), which is typed in the “earlier” context I. Also, observe that 
paint’s result x is available after Tpaint time has passed (i.e., after paint finishes), 
and its type has the car part types wrapped as temporal resources, ensuring that 
any further operations (e.g., assemble) can access them only after at least Tary 
time has passed after paint finishes. The delay 7 operation is typed analogously. 

Finally, similarly to algebraic operations, we also use the context modality 
<r to model the passage of time in sequential composition, as specified in 


PEM:X!7 T, x: XA Ni Y te" 
CeRiettx=MinN:Y!r+7' 


The type X !r (for specifying the execution time of computations) is standard 
from graded monads style effect systems [35]. The novelty of our work is to use 
this effect information to inform continuations that they can safely assume that 
the given amount of additional time has passed before they start executing. 


Putting It All Together We conclude this overview by revisiting the produc- 
tion line code snippet and note that in the A;;j-calculus we can write it as 


let (body’, left-door’, right-door’) = paint (body, left-door, right-door) in 
delay Tary; 

unbox body’ as body” in 

unbox left-door’ as left-door” in 

unbox right-door’ as right-door” in 

assemble (body”, left-door”, right-door”) 


Observe that apart from the unbox operations, the code looks identical to 
the naive, unsafe solution discussed earlier. However, crucially, now any code 
that wants to use the outputs of paint will typecheck only if these resources are 
accessed after at least Tary time units have passed after paint finishes. In the 
code snippet, this is achieved by blocking execution with delay Tay for Tary time 
units, but this could have been equally well achieved by executing other useful 
operations 0p,; ...; Op,,, as long as they collectively take at least Tary time. 


4 We present Àj] formally using algebraic operations with explicit continuations, while 
in code snippets we use so-called generic effects [59] without explicit continuations. 
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Time grade: TEN 
Ground type A, B, C ::= b | unit | AxB | [r] A 
Value type X, Y, Z := A | XxY | X—>Y!r | [7] X 
Computation type: X!r 


Fig. 1. Types of Aj-]- 


3 A Calculus for Programming with Temporal Resources 


We now recast the ideas explained above as a formal, modally typed, effectful 
core calculus, called Aj]. We base it on the fine-grain call-by-value A-calculus [44]. 


3.1 Types 


The types of Aj- are given in Fig. 1. Ground types include base types b, and are 
closed under finite products and the modal temporal resource type [tT] A. The 
latter denotes that an A-typed value will become available in at most T time 
units, where T € N counts discrete time moments.” The ground types can also 
come with constants f with associated constant signatures f : (Ai,..., An) > B. 

To model operations such as paint and assemble discussed in §2.2, we assume 
a set of operations symbols O, with each op € O assigned an operation signature 
op : Aop ~> Bop ! Top, which specifies that op accepts inputs of type App, returns 
values of type Bop, and its execution takes Top time units. Observe that by 
typing operations with ground types, as opposed to simply with base types, we 
can specify operations such as paint : Part ~> ([Tary] Part)! 7paint, returning values 
that can be accessed only after a certain amount of time, here, after Tary- 

Value types extend ground types with function type X — Y!7 that specifies 
functions taking X-typed arguments to computations that return Y-typed values 
and take r time to execute, as expressed by the computation type Y |r. 


3.2 Terms 


The syntax of terms is given in Fig. 2, separated into values and computations. 
Values include variables, constants, finite tuples, functions, and the boxing 
up of temporal resources, box, V, which allows us to consider an arbitrary value 
V as a temporal resource as long as it is safe to access V after 7 time units. 
Computations include returning values, sequential composition, function ap- 
plication, pattern-matching®, algebraic operation calls, effect handling, and the 
unboxing of temporal resources, where given a temporal resource V of type |r] X, 


5 For concreteness, we work with (N,0,+,—,<) for time grades, but we do not foresee 
problems generalising these to come from other analogous algebraic structures. 
6 The form let (x,y,z) = M in N in 81,2 is the natural combination of let and match. 
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Values 
V,W :=2 variable 
| f(Mi,..., Vn) constant 
| 0 | VW) unit and pairing 
| fun (x : X) => M function 
| box, V boxing up a temporal resource 
Computations 
M,N ::= return V returning a value 
let x = M in N sequential composition 
VW function application 
match V with {(x, y) = N} pattern-matching 
op V (x. M) operation call 
delay 7 M time delay 
handle M with H to x in N effect handling 
unbox, V as z in N unboxing a temporal resource 


Effect handlers 


H = (zk; Mop) operation clauses 


opeO 


Fig. 2. Values, computations, and effect handlers of Ap]. 


the computation unbox, V as x in N is used to access the underlying value of 
type X if at least 7 time units have passed since the creation of the resource V. 
In addition to user-specifiable operation calls (via operation signatures and 
effect handling), we include a separate delay r M operation that blocks the 
execution of its continuation for the given amount of time. For simplicity, we 
require effect handlers to have operation clauses Mop for all op € O, but we do 
not allow delays to be handled in light of the equations we want of them in 85, 
where all consecutive delays are collapsed and all zero-delays are removed. 


3.3 Type System 


We now equip A;;] with a modal type-and-effect system. On the one hand, for 
modelling temporal resources, we build on Fitch-style modal type systems [19]. 
On the other hand, for modelling effectful computations and their specifications, 
we build on type-and-effect systems for calculi based on graded monads [35]. 

The typing judgements are written as l'H V : X and I H M: X!7, where 
T specifies M’s execution time and I is a temporal typing context, given by 


Pa || Teak. ||" IT 


Here, <7) is a temporal context modality, akin to af in Fitch-style systems. We 
use it to express that when typechecking a term of the form I,(7) + V : X, we 
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Values 
VAR CONST PAIR 
(CE Vi: Ai)i<icn PEV:X TFELEW:Y 
T æ:X, D ba: X IH f(V,...,Vn): B TE(V,W):XxY 
UNIT FUN Box 
NTT Tja:XEM:Y!r Dine v:X 
r+ () : unit PE fun(x:X)=>=M:X>Y!r I+ box, V : [r] X 
Computations 
RETURN LET 
PEV:X TEM:X!7 I, rs: XHAN: Y!T 
T} return V:X!0 r Hltr=MinN:Y!r+r 
APPLY MATCH 
rheV:X>Y!r PEW:X PEV:XxY Tx: X, y: YEN: Z!'7 
rTH-VW:Y!r I} match V with {(x,y) = N}: Z!r 
OP DELAY 
PEV: Aop T, (Top), x: Bop M:X!r Die M:X!r 
TH opV(z.M):X!Tp+rT Dt deayrM:X!r+r 


HANDLE 
TEM:X!r I, Trs: XHAN: YT H = (z.k. Mop) 
(Vr" . T, æ: Aop, k : [Top] (Bop > Y ! T”) H Mop : Y ! Top +7”) 


I } handle M with H toxin N: Y !T+T 


opeO 


opEeO 


UNBOX 


T Stime I r-r r V:[r]X Tja:XtEN:Y!7' 
It unbox, VasvinN:Y!7' 


Fig. 3. Typing rules of Aj]. 


can safely assume that at least T time will have passed before the resource V is 
accessed or executed. The rules defining these judgements are given in Fig. 3. 
In contrast to Fitch-style modal type systems discussed in §2.1, VAR does 
not restrict the I” right of x to not include any context modalities. This is so 
because in the possible worlds reading of Aj] (see §4) we treat all types as being 
monotone for time—this is not usually the case for formulae in modal logics such 
as 54, but in A;,] this models that once any value is available it will remain so. 
As in systems based on graded monads, RETURN specifies that returning a 
value takes zero time, and LET that the execution time of sequentially composed 
computations is the sum of the individual ones. Novel to A;,-], LET, OP, DELAY, 
and HANDLE state that the continuations can safely assume that relevant amount 
of additional time has passed before they start executing, as discussed in §2.2. 
When typing the operation clauses Mop in HANDLE, we universally quantify 
(at the meta-level) over the execution time 7” of the continuation k of Mop. We 
do so as the operation clauses Mop must be able to execute at any point when 
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effect handling recursively traverses M. Further, observe that k is wrapped inside 
a resource type. This ensures that k is invoked only after Top amount of time has 
been spent in Mop, thus guaranteeing that the temporal discipline is respected. 
Note that this enforces a linear discipline for our effect handlers: for Top > 0, k 
must be executed exactly once for Mop’s execution time to match Top + 7”. 

Finally, Box specifies that in order to box up a value V of type X as a 
temporal resource of type [r] X, we must be able to type V when assuming that 
7 additional time units will have passed before V is accessed. At the same time, 
UNBOX specifies that we can unbox a temporal resource V of type |r] X only if 
at least 7 time units have passed since its creation: the time captured by I” must 
be at least 7, and we must be able to type V in a T time units “earlier” context 
I — r. The time captured by a context, time I’, is calculated recursively as 


time-=0 time (I,a:X)=timel time (,(7)) = time T +7 


and the “time travelling” operation I — 7 as (where T} = 1+ T” for some 7”) 


def def def 


r-0=Tf =T} =: (Pja:X)—7, =P -r4 
(LP, CT) = T4 S if T4 < T’ then I, <T’ ~ 7,1) else I — (74 > 7’) 


taking I to an “earlier” state by removing T worth of modalities and variables. 


3.4 Admissibility of Renamings and Substitutions 
We now show that expected structural and substitution rules |T] are admissible. 


Theorem 1. The typing relations I > V : X and r M : X!7 are closed 
under standard structural rules of weakening, exchange of consecutive variables, 
and contraction (omitted here). Furthermore, both typing relations are also closed 
under rules making <—) into a strong monoidal functor (with a co-strength) [45]: 


IT, I D, <m + Taped Ilr J rsr T, <T}, z:X HJ 
TEJ I <1), <T2 H J T, <r} J Ta: X ned 


where + J ranges over both typing relations, where the first two rules hold in 
both directions, and the last rule expresses that if we can type J using a variable 
“now”, we can also type J if that variable was brought into scope “earlier”. 


Proof. First, we define a renaming relation p : T ~> I”, and then prove by 
induction that if l } J and p : I ~ I” then I’ + J[p], where J[p] is J renamed 
with p. The ~ relation is defined as the reflexive-transitive-congruent closure of 
rules corresponding to the desired structural rules, e.g., var}. yep: Dy: X ~ I 
and u” : T, CTi + 72) ~> I, (71), T2). The full list is given in the online appendix. 

For the VAR and UNBOX cases of the proof, we show that if p : l ~~ I” and 
z E€, I, then px ey I” for some 7’ with T < 7’, where x €, I means that x e I" 
and there is 7 worth of modalities right of x in I’, and pz is the variable that 
p maps x to. For UNBOX, we further prove that if p : I ~ I”, then for any 7 
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we can build p—7: I —7 ~ I’ —7, using the result about €, to ensure that p 
does not map any x € I’ — r outside of I” — r. We also establish that if l ~~ I’, 
then time I’ < time I”, allowing us to deduce 7 < time I” from 7 < time I’. 


The admissibility of the rules corresponding to u” (and its inverse) relies on 
us having defined context splitting in UNBOX using I’ — 7, as opposed to more 
rigidly as T, I”, as in [19], as then it would be problematic if the split happens 
between (7), (72). Inverses of the last two rules in Thm. 1 are not valid—they 
would allow unboxing temporal resources without enough time having passed. 


Theorem 2. The typing relations I > V : X and r M: X!r7 are closed 
under substitution, i.e., if ,a:X,I’ + J and +} W : X, then T, I’ + J[W/z], 
where J[W /x] is standard recursively defined capture-avoiding substitution [7]. 


Proof. The proof proceeds by induction on the derivation of T,a:X,I’ + J. 
The most involved case is UNBOX, where we construct the derivation of I, I” + 
unbox, V[W/a] as y in N[W/a]: Y ! T’ by first analysing whether r < time I”, 
which tells us whether z is in the context (I, a: X, I”)—r of V, based on which we 
learn whether W continues to be substituted for x in V or whether V[W/a] = V. 


3.5 Equational Theory 


We conclude the definition of A;-] by equipping it with an equational theory to 
reason about program equivalence, defined using judgements I H V = W : X 
and lH M =N : X!7, where we presuppose that the terms are well-typed 
for the given contexts and types. The rules defining these relations are given in 
Fig. 4. We omit standard equivalence, congruence, and substitutivity rules [7]. 
The equational theory consists of standard 3/7-equations for the unit, prod- 
uct, and function types. We also include monadic equations for return and let [52]. 
For op and delay, we include algebraicity equations, allowing us to pull them out 
of let [8]. For handle, we include equations expressing that effect handling recur- 
sively traverses a term, replacing each op-occurrence with the operation clause 
Mop, leaving delays untouched, and finally executes the continuation N when 
reaching return values [61]. Finally, we include 6/n-equations for box and unbox, 
expressing that unbox behaves as a pattern-matching elimination form for box. 


4 Denotational Semantics 


We justify the design of àj by giving it a mathematically natural semantics 
based on adjunctions between strong monoidal functors [45] (modelling modal- 
ities) and a strong’ graded monad [35] (modelling computations). We assume 
general knowledge of category theory, only spelling out details specific to Aj]. 
To optimise for space, we discuss the abstract model structure simultaneously 
with a concrete example using presheaves [46], but note that the interpretation 
is defined, and its soundness proved, with respect to the abstract structure. 


T To be more specific, we use a modal notion of [—]-strength that we define below. 
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() = V =: unit (n) 

fun (a: X)=Vr=V:X>Y!r (n) 

(fun (x: X) => M) V = M[V/z| (8) 

match (V, W) with {(2,y) > N} = N[V/x, W /y] B) 

match V with {(2,y) > N[(,y)/2]} = NIV/2] n) 

let x = (return V) in N = N[V/z] b) 

let y = (let x = M in N) in P = let x = M in (let y = N in P) (8) 

let x = M in return z = M n) 

let x = (op V (y. M)) in N =0pV (y.let x = M in N) (8) 

let x = (delay r M) in N = delay 7 (let x = M in N) B) 

handle (return V) with H to x in N = N[V/z| (8) 
handle (op V (y. M)) with H to z in N = 

Map| V /x, boxrp (fun (y : Bop) > handle M with H to x in N)/k] (8) 

handle (delay r M) with H to x in N = delay r (handle M with H to xin N) (8) 

unbox, (box; V) as x in N = N[V/a] (8) 

unbox, V as z in N[box, x/y] = N[V/y] (n) 


Fig. 4. Equational theory of A,,]. 


When referring to the abstract model structure, we denote the underlying 
category with C. Meanwhile, the concrete presheaf example is given in Set’) 
consisting of functors from (N, <) to the category Set of sets and functions. 

The model in Set®™5? is similar to Kripke’s possible worlds semantics, except 
that in Set’) all objects are monotone for <, i.e., for any A € Set“) we 
have functions A(t; < t2) : A(t1) > A(t2) respecting reflexivity and transitivity, 
whereas Kripke models are commonly given by discretely indexed presheaves 
and only modalities change worlds. For Aj], working in Set™ <) gives us that 
when a resource becomes available, it will remain so without need for reboxing, 
leading to a more natural system for temporal resources and a simpler VAR rule. 


4.1 Interpretation of Types 


Value Types and Contexts To interpret value types, we require the category 
C to have finite products (1, A x B) and exponentials A = B, so as to model 
the unit, product, and function types. In Set S), the former are given point- 
wise using the finite products in Set, and the latter are given as (A > B)(t) = 
Set™ <) (homt x A, B), where homt : (IN, <) — Set is the covariant hom-functor 
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for (IN, <), given by homt © t < (—) [46]. When unfolding it further, the above 
means that (A = B)(t) is the set of functions (fy : A(t’) > Bt’) )wemvenece} 
that are natural in t’, capturing the intuition that in ;,; functions can be applied 
in any future context. For base types, we require an object [[b]] of C for each b. 
To interpret the temporal resource type, we require a strong monoidal functor 
[—] : (IN, <) > [C,C], where [C, C] is the category of endofunctors on C. This 
means that we have functors |r] : C > C, for all 7 € N, together with morphisms 
[n < T2Ja : [m]A > [72]A, natural in A and respecting <. Strong monoidality 
of [—] means that we have natural isomorphisms ¢, :[0]A > A and ôA n.r : 
[71 + 72]A Š [71]([72] A), satisfying time-graded variants of comonad laws [10]: 


EO 5A,0,7 = id [r] (e) o ÔA,7,0 = id On JA TT o OA,r1 +72,73 = [71] (ô) oĝ 


We also require ONEN T A) to be monotone in T1, T2, i.e., if T1 < Ti and 
T2 < 75, then [ri ]|([T2 < 75]) o [m] < Ti] 06 = ôo [Ti + T2 < Ti + 754. We omit 
the indices of the components of natural transformations when convenient. 

In Set™S), we define ([7]A)(t) © A(t + 7), with [7]A-values given by future 
A-values, and with (£4, re OA, Oa) given by identities on A-values, combined 
with the laws of (0, +), e.g., as (e4): (a € ([O]A)(t) = A(t + 0)) fae A(t). 

Using the above, we interpret a value type X as an object |X] of C, as 


AJAJ [uniga [Xx YJ SEX] x] 
IX>¥! 22X77) XD Fd 


where T is a graded monad for modelling computations—we return to it below. 
The interpretation of ground types [A]? is defined similarly, so we omit it here. 

Next, we define the interpretation of contexts, for which we require another 
strong monoidal functor, <—) : (IN, <)°P — [C, C]. Note that (—) is contravari- 
ant—this enables us to model the structural rules that allow terms typed in an 
earlier context to be used in future ones (see Thm. 1). We denote the strong 
monoidal structure of (—) with na : A > (OYA and parr, | (T1)((2YA) Š 
(7 + 72)A, required to satisfy time-graded variants of monad laws [45], given by 


Haor On =id par, o0CT(n)=id MA sry tra y73 © drs) Ayri rg = OKT (HM) 


and (A,r ,793 i te) have to be monotone in 71, 72, similarly to (5,571) above. 
In Set®™S), we define ((r)A)(t) = (T < t) x A(t — 7), as past A-values, with 
the side-condition T < t crucial for the existence of the adjunctions (7) 4 [7] we 
require below. We define (nA, n3", HA, Ha) similarly to earlier, as identities on 
A-values, combined with the laws of (0, +, ~), so as to satisfy the side-conditions. 
With this, we can interpret contexts I as functors [I]: C > C, given by: 


JASA e: XJA FA Bole oA) 


We interpret contexts as functors to easily manipulate denotations of composite 
contexts, e.g., we then have tp.p.4: [E, r ]A Š [J (74), natural in A. 
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Finally, to formulate the semantics of computation types and terms, we re- 
quire there to be a family of adjunctions (T) 4 |T], i.e., natural transformations 
na: A —> [r](<TyA) (the unit) and «7, : <7)([T]A) > A (the counit), for all 
TE N, satisfying time-graded variants of ‘standard adjunction laws [45], given by 


ares 9 CDNA) = id [r] (e2) o NGJA, = id 
We also require (77,¢7) to interact well with the strong monoidal structures: 


[KO ong on oe=[0<7] aE) o [nnd ya) oan = FON" 
(O([O<r]) onoe oez, =O<T) EF, CTE Ara) O(T(KT2(9)) = e7 o p 


Proposition 1. It then follows that 4 9 = EDA ona and Exo =e,o Moja: 


In Set®™S), nq, and e}, are given by identities on A-values, respectively 
combined with r < t+ 7 and monotonicity for (t+ 7) +7 = t. For the latter, we 
crucially know 7 < t due to the side-condition included in the definition of «—). 

We note that modulo the time grades 7, the above structure is analogous to 
the models of the Fitch-style presentation of S4 [19], where O is modelled by 
an idempotent comonad, a by an idempotent monad, and boxing/unboxing by 
a 4 O. This is also why we present [—] and (— as comonad- and monad-like. 


Computation Types For computation types, we require a [—]-strong graded 
monad (T,n", wu", str?) on C, with grades in N.8 In detail, this means a functor 
T : N > [C,C], together with natural transformations 74 : A > TOA (the 
unit), Hino -TaT 2 A) > T (Ti + T2) A (the multiplication), and st, B,- : 
[r]AxT Br —T(Ax B)r (the strength), with the first two satisfying standard 
graded monad laws (see [35] or (7, u) of <—>). Below we only present the laws 
for str? because it has a novel temporal aspect to it—its first argument appears 
under [7]. As such, str? expresses that if we know an A-value will be available 
after 7 time units, we can push it into computations taking T-time to execute. 
We say that T is a [—]|-strong graded monad following the parlance of Bier- 
man and de Paiva [12]|—in their work they model the possibility modality A as 
a O-strong monad. While the laws governing str? are not overly different from 
standard graded strength laws [35], we have to correctly account for [—] in them 


strå Bo ° (EA X n4) = nixe HAXByn ry OT (str?) ostr? = str? o (5? x u?) 
T (snd) o strå p, = snd T (a) ostr” o (m x id) o a7! = strå pxo, 0 (id x str”) 
where wa,p.c : (Ax B)xC Š Ax(BxC), and ma.b, : [r]Ax[T]B > [r](AxB) 
witnesses that [r] is monoidal for x, which follows from |r] being a right ad- 
joint [45]. Observe that it is the [—]-strength that naturally gives T a temporal 


flavour—the rest of it is standard [35]. Below we show that str? is also mathe- 
matically natural, admitting an analogous characterisation to ordinary strength. 


8 As Afr] does not include sub-effecting (see §6.2), a discretely graded monad T suffices. 
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Proposition 2. Analogously to ordinary strong and enriched monads [39], T 
having [—|-strength is equivalent to [—]-enrichment of T, given by morphisms 
[T](A = B) > (TT A = TTB) respecting C’s self-enrichment [38] and (n? , wu"). 


In order to model operations op and delay in §4.2, we require T to be equipped 
with algebraic operations: we ask there to be families of natural transformations 
OPi, : [Ap]? x [Top]([Bop] = TTA) — T (top + 7) A, for all op : Ap ~ 
Bop! Top € O, and delay 4 ,/ T: [r|(T r A) > T(r 4+7’')A, for all 7 € N, satisfying 
algebraicity laws [61], which state that both commute with u? and str’, e.g., 


strå g4 © (id x delay’ 7) = delay% y g 7 T o[r](str7) o mo (4,7,7 x id) 


In Set™ S) , we can define T as the initial algebra of a corresponding signa- 
ture functor for operations op and delay, analogously to the usual treatment of 
algebraic effects [8]. Concretely, such T is determined inductively by three cases 


a € [Ap] (t) 
ac A(t) k e ([Top|([[Bop]]? = T'7 A))(t) ke [r](T'7’ A(t) 
reta € (T'0 A)(t) opak e (T (Top + T) A)(t) delay 7 k € (T (T + T’) A)(t) 


with (77, ut, strt, opf, delay” ) defined in the expected way, e.g., str? is given by 


recursively traversing a computation of type T r B and moving the argument of 
type |T] A under ret cases, modifying 7 when going under the op and delay cases. 


4.2 Interpretation of Value and Computation Terms 


The interpretation of values and computations is defined simultaneously. We only 
present the temporally interesting cases—full details are in the online appendix. 

As àj] does not have sub-effecting and includes enough type annotations for 
typing derivations to be unique, this interpretation is coherent by construction. 


Values We assume a morphism [|f] : [Ai]]% x ... x [An]! —> [|B]? for every 
f : (Ay,...,An) > B. We interpret a well-typed value [ V : X as a morphism 
CEV:X]:[r]i - [X] im C by induction on the given typing derivation. 
Most of the value cases are standard, and analogous to other calculi based on 
fine-grain call-by-value [44] and graded monads [35], using the Cartesian-closed 
structure of C. The temporally interesting cases are VAR and Box, given by 


[ha:X, ba: X] © (ne: Xr) > WU x XD) 


— <time M([T]1 x LX) as IIa x xX] — ix] 


[FVD 


[FX] 


where e4,r : [[]A — <time IA extracts and collapses all temporal modalities 


[L H box, V : [F] X] & [ea S KAE) 


© (O<T)>a 
A 


ee 
in I’, and the counit-like €% _ is given by the composite (r)A ——> <0)A > A, 
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Computations We interpret a well-typed computation FH M: X!r asa 
morphism |r = M:X!7]: [L] > T7[X] in C by induction on the typing 
derivation. The definition is largely unsurprising and follows a pattern similar 
to [35,44|—the novelty lies in controlling the occurrences of (—) and [—]. 

In LET, we use (7) 4 [7] to push the environment “into the future”, and then 
follow the standard monadic strength-followed-by-multiplication pattern [35,52]: 


[Pb let 2=MinNiY ire) prj ee (mar) x TI 


2E Tr (I) x XQ) ee rar Pp Trt 7) I 


An analogous use of <T) 4 |r] also appears in the cases for operations, e.g., in 


[L H opV (@.M):X!rp +7] 2 [ra eae [Ace]? x [7p] (CTTI) 


idx [Top] (curry ([M])) 


op! 
[Ace]? x [rep] (Bon? = Tr IXI) — T (T + 7) [X] 
Next, the UNBOX case of the interpretation is defined as 


{idin RA 


[| + unbox, VaszinN:Y!7'] a TEDE 
idx <rò([V I) 


[It x <r) (IP — TI) 
Lh «OED 2S wx pS rr py 


showing that temporal resources follow the common pattern in which elimination 
forms are modelled by counits of adjunctions, whereas units model introduction 
forms (akin to functions). The morphism 7PRA : [IA > (XE — TIA) ex- 
tracts and collapses T worth of context modalities in I” , as long as T < time I. It 
is a semantic counterpart to an observation that the context modality I,<7) is a 
parametric right adjoint to the I’ — 7 operation, as in recent dependently typed 
presentations of Fitch-style modal types [27], see §6.1 for further discussion. 
Finally, we discuss the interpretation of effect handling. For this, we addi- 
tionally require C to have set-indexed products Hicri and handling morphisms 


Xar,’ : Topco Tren (([Aopll? x [op] (Bop? = TT” A)) = T (Top + 7”) A) 
oTr(Tr A)ST(r47r')A 


satisfying laws which state that xa returns a graded T-algebra [22,50], e.g., we 
require uncurry(x.4,0,r’) © (id x n?) = snd, where uncurry (and curry earlier) is 
part of the universal property of A = B. We also require similar laws for \’s 
interaction with op? and delay”. In Set <), x is defined by recursively traversing 
a given tree, replacing all occurrences of opa k with respective operation clauses. 
Writing H for the domain of x7yq,7,7’, the HANDLE case is then defined as 


[1 + handle M with H toxin N:Y!r+r'] = 


prj SE Erp x (fel) x Tr EXT) 
idxstr? idx T r (LNT) 


—> fT ]1 x Tr (r(x [X]) ICIL x Tr (Tr [Y]) 


[H] xid uncurry(Xjy],r, r’) 
HxTr(Tr'[Y]) 


T (T+T) [Y] 
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where we write [| H]] for the point-wise interpretation of operation clauses 


id), en YopeO Topco I ew (curry ([[ Mop T"JJo a~')) 
pop ES, Topco Tren ( rjr) „H 


4.3 Renamings, Substitutions, and Soundness 


We now show how syntactic renamings and substitutions relate to semantic mor- 
phism composition, using which we then prove the interpretation to be sound. 


Proposition 3. Given p: I ~~I" and I H J, then [J[p]] = [J] ° Lela, where 
the interpretation of renamings [[plla : [PJA > [T]]A is defined by induction 
on the derivation of p : I ~ I", with the morphism |p] 4 also natural in A. 


Proposition 4. Given I,x:X,I" + J and l W : X, we have |[J[W/zx]] = 
J] o i eri o [I] (<id, [W]})) © tr;rr;a, where (1,17!) are discussed in §4.1. 


Proof. We prove both results by induction on the derivation of I’ } J. The proofs 
are unsurprising but require us to prove auxiliary lemmas about recursively 
defined renamings and semantic morphisms. For example, for Prop. 3, we show 
nPRA ofp] = <7)(o—T]) on? : [JA > <7)([ 0-7] A), and for Prop. 4, that 
MPRA o, = (T) (1) o PRA : [T, YA > (LE — TI (I A)), when 7 < time I”. 


Theorem 3. Given ID} I= J derived using the rules in §3.5, then [J] = [J]. 


Proof. The proof proceeds by induction on the derivation of l } I = J, using 
Prop. 3 and Prop. 4 to unfold the renamings and substitutions in the equations 
of §3.5, and using the properties of the abstract structure we required C to have. 


5 Quotienting Delays 


Observe that in ;,] the computations delay r (delay 7’ M) and delay (T +7’) M 

cannot be proved equivalent, though in some situations this might be desired. 
In order to deem the above two programs (and others alike) equivalent, we 

extend A;,]’s equational theory with the following natural equations for delays: 


delay 0 M = M delay 7 (delay r’ M) = delay (r +7’) M 
Theorem 4. Ifthe algebraic operations delay” of T satisfy analogous two equa- 
tions, the interpretation of §4 is sound for this extended equational theory. 


For the concrete model in Set®™S), we have to quotient T [36] by these two 
equations—the resulting graded monad is determined inductively by the cases 


ke (Sr A/)(t) T>O ke [r](S7' A(t) 
compke (T7A)(t) delayrke (T(r +7’) A)(t) 
a € A(t) ae [Aol E ke (Lop | (Bop ll? = 17 A))) 
reta € (0 A)(t) opake (S (Top + T) A)(t) 


where (T T A)(t) and (Sr A)(t) are defined simultaneously in such a way that 
only non-zero, non-consecutive delays can appear in the tree structure. 
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6 Related and Future Work 


6.1 Related Work 


We contribute to two prominent areas: (i) modal types and (ii) graded monads. 
As noted in §2.1, modal types provide a mathematically natural means for 
capturing many aspects of programming. Adding to §2.1, types corresponding 
to the eventually and always modalities of temporal logics capture functional 
reactive programming (FRP) [18,32,42], including a combination with linearity 
and time-annotations to model resources [33], where all values are annotated 
with inhabitation times. Recently, FRP has also been studied in Fitch-style [6]. 
Starting with Nakano [55], modal types have also been used for guarded recursion, 
even in the dependently typed setting [5,14,47], including in Fitch-style [13]. 
We also note that A;,]’s time grades 7 and the I’ — T operation are closely 
related to recent dependently typed Fitch-style frameworks. Namely, [28] devel- 
ops a multimodal type theory (MTT) where types [ju] X are indexed by 1-cells u 
of a strict 2-category (a mode theory). The time grades 7 of \;,] are an example 
of such mode theories, given by the delooping of N, i.e., by a single 0-cell, Ts as 
1-cells, and 7 < 7's as 2-cells. While ensuring the admissibility of and naturality 
under substitutions, MTT with its indirect elimination rule for [u] X is weaker 
than earlier systems (such as [13]). The direct-style elimination rule is recovered 
in [27] by observing that in addition to T,<p being a left adjoint to [u] X, it 
should further form a parametric right adjoint (PRA) [17,71] to contexts of the 
form I’/(r : u), where r is a substitution -, (> ~> I. The operation I — 7r in Àj 
is an instance of this: u is a T, r corresponds to the condition 7 < time I’ in UN- 
BOX, contexts I’/(r : p) are given by I’ —7, and the PRA situation is witnessed 
by renamings ((I — T),<7)>) ~ T, when 7 < time T, and I ~ ((L,<7)) — 7). 
Graded monads provide a uniform framework for different effect systems and 
effect-based analyses [22,35,36,50,51]. A major contribution of ours is showing 
that context modalities can inform continuations of preceding computations’ ef- 
fects. While the theory of graded monads can be instantiated with any ordered 
monoid, we focus on natural numbers to model time, but do not expect complica- 
tions generalising Aj] to other structures with same properties as (N, 0, +, =, <), 
and perhaps even to grading T and (—), [—] with different structures, akin to [23]. 
Our use of [7] X to restrict when resources are available is somewhat remi- 
niscent of coeffects [16,24,57,58] and quantitative type systems [4,49,53]. In these 
works, variables are graded by (semi)ring-valued rs, as æ :, X, counting how many 
times and in which ways x is used, enabling applications such as liveness and 
dataflow analyses [57]. Semantically, these systems often interpret x:, X using a 
graded comonad, as O0,„X, where one can access X only if r = 1. Of such works, 
the closest to ours is that of Gaboardi et al. [23], who combine coeffects with ef- 
fectful programs via distributive laws between the grades of coeffects and effects, 
allowing coeffectful analyses to be propagated through effectful computations. 
We also note that the type [7] X can be intuitively also viewed as a temporally- 
graded variant of promise types [29,65], in that it expresses that a value of type 
X will be available in the future, but with additional time guarantees. 
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6.2 Future Work 


Currently, Aj- does not support sub-effecting: we cannot deduce from T < 7’ and 
FEM:X!rthat P+ M: X!7’. Of course, we can simulate this by inserting 
T'— T worth of explicit delays into M, but this is extremely intensional, fixing 
where delays happen. In particular, we cannot type equations such as let x = 
(return V) in N = N[V/z] if return V was sub-effected to T > 0, with the (7) in 
N’s context the culprit. However, when considering sub-effecting as a coercion 
coerce, <, M, we believe we can add it by considering equations stating that it 
will produce all the possible ways how T'— r worth of delays could be inserted 
into M. Of course, this will require a more complex non-deterministic semantics. 
It would be neat if Ap] also included recursion in a way that programs 
could make use of the temporal discipline. This is likely unattainable for general 
recursion, but we hope that primitive recursion (say, on natural numbers) can 
be added via type-dependency of time grades 7 on the values being recursed on. 
It would be interesting to combine Ajj with linear [25] and separation log- 
ics [34,64] to model linear and spatial properties of temporal resources. Another 
goal would be to add concurrency, e.g., using (multi)handlers [9,20,21]. We also 
plan to look into capturing expiring and available-for-an-interval style resources. 
Further, we plan to study A,,’s operational semantics, namely, one that takes 
time seriously and does not model delays simply as uninterpreted operations [9], 
together with developing a prototype, and proving normalisation akin to [26,69]. 
We also plan to study the completeness of the denotational semantics of Ar;1. 
For such semantic investigations, it could be beneficial to also study the general 
theory of the kinds of temporally aware graded algebraic effects used in this 
paper, by investigating their algebras and equational presentations [36,50]. 


7 Conclusion 


We have shown how a temporal, time-graded variant of Fitch-style modal type 
systems, when combined with an effect system based on graded monads, provides 
a natural framework for safe programming with temporal resources. To this end, 
we developed a modally typed, effectful, equationally-presented core calculus, 
and equipped it with a sound denotational semantics based on strong monoidal 
functors (for modelling modalities) and graded monads (for modelling effects). 
The calculus also includes temporally aware graded algebraic effects and effect 
handlers, with the continuations of the former knowing that an operation’s worth 
of additional time has passed before they start executing, and where the user- 
defined effect handlers are guaranteed to respect this temporal discipline. 
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Abstract. We prove decidability for contextual equivalence of the Auv- 
calculus, that is the simply-typed call-by-value Ay-calculus equipped with 
booleans and fresh name creation, with contexts taken in Ares, that is 
Apy-calculus extended with higher-order references. 

The proof exploits a labelled transition system capturing the interactions 
between Auv programs and Apres contexts. The induced bisimulation 
equivalence is characterized as equality of certain trees, inspired by the 
work of Lassen. Since these trees are computable and finite, decidability 
follows. Bisimulation coincides also with trace equivalence, which in turn 
coincides with contextual equivalence . 


1 Introduction 


Dynamic allocation is central to many programming constructions. Many lan- 
guages provide built-in support for dynamically-allocated resources, for exam- 
ple, objects in Java or references in ML. The creation of these resources is local, 
meaning that resources can be accessed only within their scope. They can also be 
passed around via function applications, in which case their scope is not static 
but evolves dynamically. When building semantics for such languages, one rep- 
resents dynamic allocation as the creation of fresh locations, that can be seen as 
atoms or names. 

In this paper, we study a paradigmatic language with dynamic allocation, 
namely the v-calculus, a simply-typed call-by-value A-calculus with fresh atom 
creation and equality test of atoms, as introduced by Pitts and Stark in [24]. For 
instance, the v-calculus program new n in Ax.(x = n) allocates a new atom n, 
receives an atom x and returns the result of the comparison between x and n. 

A central question while studying this language is to determine when two 
programs can be considered to be equivalent. The most studied approach to 
express behavioral equivalence between programs is contextual equivalence. In- 
tuitively, two programs are deemed equivalent if and only if whenever they are 
run as part of an enclosing program called the context, it is not possible to dis- 
tinguish one from the other. For instance, because the context has no way to 
guess the atom n, we expect the program above to be equivalent to Ax.false. 

Reasoning on contextual equivalence for the v-calculus has shown to be chal- 
lenging, due to the interplay between the higher-order control flow and the scope 
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extrusion of atoms. A variety of frameworks has been introduced to do so, based 
on logical relations [24], environmental bisimulations [5], and game semantics [1]. 


However, the question of whether this equivalence is decidable remains open 
since the introduction of this language 30 years ago. 


In this paper, we address this question by working in an asymmetric setting, 
giving contexts more discriminating power than just the mere creation of atoms. 
Indeed, contextual equivalence depends on two languages: the language for pro- 
grams, and the language for contexts interacting with these programs. We take 
contexts in the Auret-Calculus, an extension of the v-calculus with both higher- 
order references and continuations. In this setting, atoms are simply references 
where only the unit value can be stored. Contextual equivalence is then coarser 
than for the symmetric setting when the contexts are also taken in the v-calculus. 
For example, one of the standard examples of equivalence of the literature 


new n in new n’ in Af(f n= fn’) ~ex Af.true 


is not an equivalence anymore, since a Href context can provide a function that 
stores its argument in a reference and use it to discriminate these programs. 


The main result we establish in this paper is the decidability of contextual 
equivalence for terms of v-calculus with contexts in the AHrer-calculus. More gen- 
erally, we establish this result for terms of the Auy-calculus, which corresponds 
to terms of the Aplres-calculus that only use references storing the unit value. 


To establish this result, we provide a Béhm-like tree representation [6,3] 
for the terms of the Auy-calculus. Being in call-by-value, equality of such trees 
coincides with Lassen’s eager normal form bisimulations [16]. Moreover, since 
programs in the Ayy-calculus are terminating, these trees, which we call Lassen 
trees, are finite. It is thus straightforward to check their equality. Then, we prove 
that Lassen trees equality is fully-abstract, that is it coincides with contextual 
equivalence with contexts in the Auye¢-calculus. 


Proving this full-abstraction result is done through the introduction of an 
operational game semantics (OGS) for Auret by defining a Labelled Transition 
System (LTS) that distinguishes between internal operations, Proponent moves 
(originating in the program) and Opponent moves (originating in the context). 
Trace equivalence based on these labelled transitions is shown to coincide with 
the contextual equivalence of A Href. 


The OGS also gives rise to a notion of bipartite bisimulation, describing a 
game between Proponent (the program in Aret) and Opponent (a context in 
Altres ). Proponent reduces the program until it reaches a normal form, that trig- 
gers an interaction with the context. Along the game, knowledge is accumulated 
in configurations. When it is Opponent’s turn to play, it chooses between an- 
swering a previous function call from Proponent, or generating a new function 
call, to which Proponent shall answer. Among this knowledge, we accumulate 
the atoms that have been disclosed by the two players, so that Opponent cannot 
use an atom private to Proponent. 
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The OGS LTS generates infinite trees since Opponent can interrogate an 
arbitrary number of times each value provided by Proponent. The Lassen trees 
used to decide contextual equivalence are generated using a linearized variant of 
the OGS LTS, called the Prime Operational Game Semantics (POGS) LTS. The 
POGS LTS enforces that Opponent interrogates only once each value provided 
by Proponent. For this linearization to be sound, one has to guess the disclosed 
status of atoms as soon as they are created. This can be illustrated by considering 
the following example of inequivalence 


new n in Ax.n #ctx AX. newn inn. 


Opponent must be able to interrogate at least twice each of these two programs 
to discriminate them. The first program would then return the same atom at each 
call, while the second program would return two different atoms. The Lassen tree 
of the first program would declare n to be disclosed when giving back the control 
to Opponent by providing the A-abstraction, but this could not be matched by 
the second program, since n would not exist yet at that point of the interaction. 

The main technical challenge at this point is to prove that this forecasting of 
the disclosure process is sound and complete. This is done by proving that the 
bipartite bisimilarities defined over the OGS LTS and the POGS LTS coincide. 
One direction is proven by lifting POGS bisimulations into OGS bisimulations 
via an up-to technique. The other direction is done by introducing a new limit 
construction of the disclosed set of atoms appearing in the OGS bisimulations, 
to transform it into a POGS bisimulation. 


Paper outline. After introducing the Apres-calculus and the Ayy-calculus in Sec- 
tion 2, we define the LTS for the OGS in Section 3. The induced trace equivalence 
coincides with contextual equivalence. We then move to Lassen trees in Section 4, 
and show that they yield an equivalence that coincides with bipartite bisimilarity 
in the OGS in Section 5. We discuss related work in Section 6, and present con- 
cluding remarks in Section 7. For lack of space, several technical developments 
are given in [9]. 


2 The Aprers-calculus and the Apy-calculus 


The syntax of the Aures-calculus is given by the following grammar: 


Values V,W 
Terms M,N 


x|Q|Ax.M| true | false |£ 
V|let x =MinN|VW|if V then N; else Nə 
|V=W|newx=VinM|V:=W[!V| uc.M | [c|M 
e | [c]C | let x =CinM|let x =MinC|Ax.C | uc.C 
| if V then C else M | if V then M else C|newx=VinC 
Evaluation Contexts E,E’ = [c]e | E[let x= eè in M] 
Types @,T Ż Unit | Bool | o —> Tt | refo | L 


= 
= 


lp 


Contexts C, C’ 


with x € Vars (variables), c € Covars (continution variables), € € Locs (loca- 
tions). We write supp(M) for the set of locations appearing in M, and FV(M) for 
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T(x) =o T'(c) = 70 X(¢) = refo 
ETFi ET keia ÈT +£: refo 2; +(): Unit 
b € {true, false} E:T, x: M:T Er V:o >T XTW: 
2:IT +b: Bool LCraAxM:a07T 2;CeVW:T 
ETEN: EI, x:o r M:T x; + V: Bool LTM: DTM: 
L:I r letx=NinM:T 2; + if V then Mı else M : © 
E:rTEV:T E:T, x:refr +M: a0 E:T tV: refo ETEW: 
xy; tnewx=VinM:o 2;C+ V:=W: Unit 
E:T +V: refo E:T tV: refo E:T HW: refo 2: T,c: no HM: L 
ETHV: o X:T V= NW : Bool ETH ucM: o 
ETAM: o I(c) = 7-0 I(c) = 7-0 E:T, x: oH M:T ETRE: At 
E:T [c]M: L È: T + [cle : ~no E:T h Eflet x =e in M] : 7-0 


Fig. 1. Aref: typing rules for terms and evaluation contexts 


the free variables of M. This language has two binders, the standard A-abstraction, 
and the u binder for continuation variables c,d [22]. 

A store, ranged over by S,T, is a finite mapping from locations to values. S(£) 
stands for the value associated to € in S. We use notation S- [f+ V] for the 
extension of S with a mapping for £, which is only defined if € is not defined in 
S. S| — V] denotes the store S in which the value associated to £ is updated. 

The operational semantics Hop of the Apres-calculus is defined over configu- 
rations, which are pairs (M,S) formed by a term and a store. It is given by the 
following rules: 


(E[(Ax.M)V], S) op (E[M{x := V}], 5) 

(E[let x =V in M],S) op (E[M{x := V}], S) 

(Elif true then Ny else No|,S) op (E[N1], S) 

(Elif false then N; else N2], S) Hop (E[N2], S) 

(E[new x = V in M],S) op (E[M{x := £}], S - [£ > V]) 
(I := V], 5) op (E[()], SIE > VI) 

CELE], S) op (E[S(2)], S) 

(E[€ = £], S) op (E[true], S) 

(E[¢ = €’],S) op (E[falsel], S) 

(E[yc.M], S) op (M{c := E}) 


The typing system for terms is given by the rules in Figure 1. We chose 
here a typing judgement with a single typing context T, so that continuation 
variables are given types of the shape ~o. Such negated types are also used to 
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type evaluation contexts, as specified by the two last rules in Figure 1. While 
we cannot store a continuation variable c in a reference, we can always store 
its associated function Ax.[c]x. Typing rules force terms of type L to be of the 
shape [d]M, following Parigot’s original presentation of the Ay-calculus [22]. 

We also consider a typing judgement of the shape È + C : ([;a7) w (A;7), 
for contexts C that take terms M of type £;[ + M: o and produce terms of type 
x;A + C[M] : t. The typing rules defining this judgement are standard and not 
recalled here. 

In the following, we consider the Ayy-calculus, the fragment of the Aref- 
calculus that only handles references of type refyniz. That is, for any reference 
type ref, appearing in the typing derivation, we have © = Unit. 

We use a,b,... to range over locations of type refynit, also called atoms, and 
introduce the slightly shorter notation new n in M to stand for new n = () in M 
in Auv. The syntax for values and terms of the Ayy-calculus is thus: 


Values V,W = x|()| Ax.N | true | false | a 
Terms M,N £ V | let x =M in N | VW | if V then N; else No|V=W|newn inM 
| uc.M 


In this setting, we see stores S directly as sets of atoms, all mapping to the 
unit value (). For L a set of atoms. we write L for the store that maps atoms in 
L to the unit value (). 

We consider the following extension of the typing judgement respectively to 
stores S and value-mapping substitutions y: 


Vé € dom(S), £; Ø + S(£) : X(€) dom(S) = dom(Z) 
KS:2 


Vx € dom(T), X; A + y(x) : T(x) dom(y) = dom(T) 
YSAtry:T 


Definition 1. A normal form (M, S) is a configuration that is irreducible for the 
reduction relation op). We write (M/S) \) N when there exists a store T such that 
M; S) +6, (N; T) and that (N;T) ts a normal form. 


We call the types Bool, Unit and ref, positive types, while 0 — Tt and no 
are called negative types. By only allowing free variables of negative types, we 
can provide a sharp characterization of normal forms. 


Theorem 2. Taking a term M such that X; M: L with T a typing contest 
mapping variables to negative types, if (M/S) is in normal form with respect to 
op, then M is either a named value [c]V or a neutral term E[xV]. 

Moreover, for any configuration (M,S) such that M is in Auv, X; HM: L and 
S: È, there exists N such that (M, S) |} N. 


Definition 3. Taking two terms M,N such that £E; HM: andX; r tN: a, we 
say that they are contextually equivalent, written X; T + M Setx N: o, when for all 
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continuation variable c and context C such that X + C: (T;o) w (c : aUnit; L), 
and for all store S such that + S : xX’, we have (C[M],S) U} [c]0 if and only if 


(C[N],S)U [c]lO. 


In the definition above, we use AHref contexts to observe Auv terms. Such con- 
texts can use higher-order references, and lead to divergent computations. For 
this reason, testing for convergence to () is enough when defining etx. 


3 Operational Game Semantics 


We now introduce a fully-abstract trace semantics for AUres programs. We follow 
a modular presentation, inspired by the one provided by Laird in [15], where the 
semantics is built from a synchronization product of three LTS: 


— the Interactive LTS L£), that represents the raw interactions of programs with 
their environment. 

— the Typing LTS Ly, that keeps track of the polarization and types of names 
exchanged, to preserve well-typedness. 

— the Disclosing LTS £pi, that prevents the environment from using private 
resources that have not been disclosed by Proponent. 


3.1 Abstract values 


To represent the interaction between the program and its environment, we dis- 
tinguish between values that we can observe and values that we can interact 
with. The two players only exchange observable values, called abstract values in 
this paper. They are defined by the following grammar: 


A,B £ f | a | true | false | () 


with f a function name, that is a variable used to represent functions exchanged 
between the two players. These correspond to the positive part of values, and are 
also called ultimate patterns in [17]. Like for terms, supp(A) stands for the set of 
atoms occurring in A. We consider the typing judgement A I- A: o for abstract 
values, with o a positive type, that is defined similarly as done for terms. 
Then we introduce the abstraction relation / that transforms a value V into 
a pair (A, y) formed by an abstract value and a substitution, such that A{y} = V: 


f,g function names be {true, false} aan atom 


f A(e le f) 0 ZO. €) b A(b, €) a J (ae) 


AxM Z (f, [f — Ax.M]) 
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3.2 Labelled Transition Systems 


The two players, Opponent and Proponent, exchange moves, which are in one 
of six forms: 


‘P-question P-answer|O-question|O-answer|P-init question|O-init question 
fao œw fao fet) PD) Œ) 


We use m to range over moves, and p (resp. 0) to range over Proponent (resp. 
Opponent) moves. Initial questions are the introductory moves. In contrast with 
other moves, they can introduce multiple abstract values in a row, which is useful 
to instantiate all the variables of a typing context I. They use a distinguished 
function name ?. 

Traces t are sequences of moves. We write m for the corresponding move 
with reversed polarity (input switched to output, and vice-versa). We extend 
this definition to switch traces, written t. 

The three labelled transition systems we define are instances of the following 
definition: 


Definition 4. A labelled transition system (LTS) £L is a triple of the form 
(Confs, Actions, —>). Confs is a set of configurations C, D. Actions is a set of 
actions a, formed by the moves m, together with a silent action op, correspond- 
ing to internal computations. Relation =c Confsx Actions x Confs is the labelled 
transition relation. We write C> D for (C, a, D) «>. 


Taking C a configuration of an LTS L, we write Tr ¢(C) for the set of traces, as 
sequences of moves generated by this LTS over C (so with op actions removed). 
We write C ~ D for the trace equivalence relation, which equates configurations 
C, D when both have the same set of traces. 


3.3 Interactive LTS 


We consider interactive configurations I,J € IConfs which are either passive 
of the shape (S; y}, or active of the shape (M; S; y} with M a term, S a store, 
and y a substitution. The Interactive LTS £ı is then defined as the triple 
(IConfs, Actions, —>ı) with relation — defined in Figure 2. 

The two rules for Proponent moves describe transitions performed by normal 
forms and make use of the abstraction relation. In the two rules for Opponent, 
the notation S © [supp(A)] stands for S extended with a binding a  () in the 
case when A = a and ais fresh for Proponent, and simply S otherwise: Proponent 
extends its store when a new atom is received. 


3.4 Typing LTS 


We consider type-context configurations S,T € Confsty which are either active 
of the shape (Ao | L; Ap} or passive of the shape (Ao | Ap), with Ao, Ap two 
disjoint typing contexts that map variables to negative types. 
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M; S) op (N; T) 


op p 
M; S; y) —>ı (N; T; y) 
V ZA; y vix 
PQ ae y) da ) on 
{E[FV]; 8; y) ——>1 (S;y- y’ [c > E]}) ([c]V; S; y) —1 (S; y y") 
0Q f(A,c) — c(A) — OA 
(S; y) —>ı ([cly(f)A; S © [supp(A)]; y) (S; y) —ı (y(©)[A]; S © [supp(A)]; y) 


Fig. 2. Definition of L4, the Interactive LTS: transitions of interactive configurations 


Ao(f) =a >T AtA:o Ao(c) = 7a AkA:a 
PQ : o(c) PA 
f(A,c) c(A) 
(Ao | 1; Ap) —>y (Ao | Ap, A, c : =T) (Ao | L; Ap) — ty (Ao | Ap, A) 
Ap(f) =a >T AltA: ao Ap(c) = 7a AltA: co 
us f(A c) (A) ká 
> CI 
(Ao | Ap) —> Tt (40,4 c: ar | 1; Ap) (Ao | Ap) —>Ty (Ao, A | 1; Ap) 


Fig. 3. Definition of Lry, the typing LTS: transitions of type-context configurations 


The Interactive LTS £ı is then defined as the triple (Confsty, Actions, —>ty) 
with relation 7, defined in Figure 3. Notice that the type of the active term is 
L since the reduction relation op is well-defined only on terms of this type. 

Typing configurations can be used to specify interactive configurations, via 
the following validity judgement. 


Definition 5. An interactive configuration I is said to be validated by a typing 
configuration S, written I» S, when: 


— either I = (S;y), S = (Ao | Ap), and there exists a store typing context X 
such that ÈX; ^o ky: Ap and S:X, 

— or I = (M;S; y}, S = (Ao | L; Ap}, and there exists a store typing context X 
such that £; Ag KM: L, X; Ago ty: Ap andt+ S$: 2. 


3.5 Disclosing LTS 


In order to enforce a non-omniscient condition on Opponent transitions, we 
introduce a Disclosing LTS Lp; = (DConfs, Actions,—p;) whose configurations 
DConfs are pairs of sets of locations (L;D) with D a set of atoms contained in L. 
The transition relation —>p; is defined in Figure 4. The condition LN supp(o) c D 
corresponds to the fact that Opponent cannot play Proponent atoms that have 
not been disclosed yet, i.e. not in D. 
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op T 
(L; D) —npi (LU L’; D) 


L N supp(o) € D 
PQ/PA = : OQ/OA 
(L; D) pj (L; D U supp(p)) (L; D) pj; (LU supp(o); D U supp(o)) 


Fig. 4. Definition of £pi, the Disclosing LTS 


Definition 6. An interactive configuration I is said to be validated by a dis- 
closing configuration D = (L; D}, written I> D, if when writing S for the store 
component of I, we have dom(S) = L. 


3.6 Operational Game Semantics: LTS and Trace Equivalence 


The Operational Game Semantics (OGS) LTS Logs = (Confsogs, Actions, — ogs) 
is defined over configurations G, H € ConfSogs of the shape (I S, D), with I> S and 
I> D, or over initial configurations (£; IT + M: a0) for Proponent and (c : ~Unit + 
(S;6) : (£;T)) for Opponent. Its transition relation is defined by the following 
rules: 


IAJ SŠT DpH %IJeT J»E 
(L S, D) Sogs (J, T, E) 


T= (xi 5 Ti) Ai Ik Aj : OF L= (U;supp(A;)) U dom(Z) 


ITE = 
(ET EM: 1) oes (Uf = a): L; e), (l1; Ø), (L1) 


— = — za 
P=(Qj:0;) ôx) Avi) AikA:o;  L=X (refynit) 
: I) = Ss 
(c: Unit + (8; ô) : (2:1) hogs (8:72), (€ : ~UnitJA;), (L; L)) 


The initial question generated by (2; +M: oa) provides a way for Opponent to 
instantiate variables of with abstract values. In this setting X only contains 
atoms since M is a term of Auv. The transition for (c : ~Unit + (S;6) : (È; T)) 
represents this behavior from the point of view of Opponent. Since contexts 
belong to Aurez, these initial configurations come equipped with an initial store 
S of type È, but only the locations of type refynių are considered to be disclosed, 
since the other ones cannot be used by Proponent. The continuation name c is 
used for Opponent to provide its final answer, which is of type Unit, following 
the notion of observation used to define contextual equivalence. 

We use notation oss to denote a p transition preceded by a possibly empty 
sequence of op transitions. Trace equivalence according to Logs and contextual 
equivalence coincide. 
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“D=o (EY) po VAY) VAM) oa 
Pa... Fac z 
05L) Bp (Wm) EEVL sp sy eE (v; Sp ay) 
aR f(A,c) c(A) On 
(L; y) —— pr ([cly(f)A; L U supp(A)) (L; y) —>pı (y(o)[A]; L U supp(A)) 


Fig. 5. Definition of Lp): transitions of prime interactive configurations 


Theorem 7. Consider two terms M,N such that £;T + MN: o. 
We have (2; FM: 0) ~t (2; N:o) if and only if U;T M SSctx Nic. 


Such a full-abstraction theorem was proven in [13] for RefML, that is the 
intuitionistic fragment of Auyes-calculus, without control operators. It was also 
proven in [10] for HOSC, a variant of the Apyers-calculus, with the call/cc op- 
erator, but without atom disclosure. Such a full-abstraction result being rather 
standard, we have chosen to present its proof in [9]. 

In the remainder of the paper, we focus on the Ayy-calculus. In particular, 
we only consider OGS configurations corresponding to Auv from now on. 


4 Lassen Trees for the Auy-calculus 


4.1 POGS and POGS bipartite bisimulation 


We introduce Lassen trees for terms of the Ayy-calculus, as a form of linearized 
version of Logs, where Opponent can interrogate a name provided by Proponent 
only once, immediately after it has been introduced. So we consider prime inter- 
active configurations which are either passive of the shape (L; y}, or active of the 
shape (M;L) with M a term, L a set of atoms, and y a substitution. Compared to 
interactive configurations, the active configurations do not carry an environment 
y. Furthermore, we have a set of atoms rather than a full store, since this LTS 
is defined only for the Auy-calculus and not for the whole Apyer-calculus. 

The Prime Interactive LTS, Lp), is then defined as (Confsp), Actions,—p)), 
with —p, defined in Figure 5. 

The corresponding Typing LTS is defined using the transitions given in Fig- 
ure 6, which are very close in spirit to the transitions in Figure 3. 

The transitions for the Disclosing LTS for POGS are presented on Figure 7. 
We compare these with the Disclosing LTS for OGS (Figure 4) below. 

The Prime Operational Game Semantics LTS is introduced as a synchroniza- 
tion product, together with initial transitions, like for OGS. More precisely, the 
synchronization between the interactive and typing LTSs requires that active 
configurations (M; L} correspond to type-contexts of the shape (Ao | 1), with 
Y;Ao M: Landt L: X, for some store typing context ÈX. Accordingly, for 
passive configurations (L;y), we synchronize with (Ao | Ap), and check that 
X: Ao ty: Ap and t+ L: ¥, for some store typing context X. 
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Ao(f)=a>T AltA: co za : 
PQ o(f) i Ao(c) a AltA: ao PA 
f(A.) cA) 
(Ao | L) —— pty (Ao | Ae : a7) (Ao | L) —>prty (Ao | A) 
Ap(f) =a >T AtkA:a Ap(c) = 7a AtA:a 
oQ p(f) a p(c) d ÖA 
> cl 
(Ap | Ap) —>pt (Ao. Ave : aT |1) (Ao | Ap) —>prTy (Ao. A | +) 


Fig. 6. Definition of Lpty: transitions of prime type-context configurations 


D’ cL’ 


op a 
(L; D) —>pa (LY L’; Dw D’) 


D 
PQ/PA i Cc : L N supp(o) c D OQ/OA 
(L; D) pq (L; D) (L; D) pq (L U supp(o); D U supp(o)) 


Fig. 7. Definition of Lpp;i: Disclosing LTS for POGS 


To synchronize with the Disclosing LTS, whose states are of the form (L; D}, 
we simply impose that the L component is the same in the state of Lp, both for 
active and passive configurations. 

We call Lpocs the LTS obtained by synchronizing Lp), Lpty and Lpp;. We 
write P,Q € Confspogs the configurations of Lpogs. The Lassen tree of a term 
is then defined as the unfolding of the Lpogs on the initial active configuration 
associated with this term. 


Example 8. The Lassen trees (omitting the typing configurations) for 
[c]new n in A_n and [c]A_new n in n are given by: 


([c]new n in A_.n; 0), (0; 0) ({c]A_new n in n; Ø), (0; 0) 
oo ~P c(f) 
({a}; [f > Aal), ({a}0) Qay [f= A_al), {a} {a}) (0; [f = A_new n in n]), (0, 0) 
Oc] LO.) fOD] 
([e"](A_.a)Q), {a}), {a}, 0) ([e"](A_-a)0), {a}), Qaj {a ([e"](A_-new n in n)(), 0), (0, 0) 
i Jea) vy \g@ 
i (al; £), {a}, {a}) * (fake), a} {a}) 


Due to the condition supp(p) € D in sods some configurations with terms in 
normal form do not have a corresponding Proponent transition. The dashed 
arrows correspond to op transitions that lead to such stuck configurations. 
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4.2 Bipartite Bisimulations for OGS and POGS 


We consider typed relations on passive and active configurations, that is, we 
require related configurations to have the same type. This means in particular 
that the environment components y of the two configurations have the same 
domain. In addition to the typing, we also enforce that both sets of disclosed 
atoms are identical. 


Definition 9. A bipartite bisimulation is a pair of relations (Ract, RPas) re- 
spectively on active and passive configurations, such that: 


— If (Gy, Go) E Rpas then for all Opponent moves o and Hy, Ho such that Gi 5 
Hı and Go a> Hə, we have (H1, H2) E€ Racr- 

— If (Gy, Go) € Racy then there exists a Proponent move p and (Hy, H2) E R Pas 
such that Gy 3 Hı and Go 3 Hə. 


An OGS-bipartite bisimulation is a bipartite bisimulation defined over Locs, 
and a POGS-bipartite bisimulation is a bipartite bisimulation defined over Lpocs. 
We write ~ogs and ~pogs respectively for the greatest bipartite bisimulation respec- 
tively over Logs and Lpocs. 


The following property follows from the fact that the transition relation is 
deterministic (up to the choice of fresh names). 


Lemma 10. ~og; coincides with trace equivalence on OGS configurations. 


For op transitions, the difference between OGS and POGS shows up in the 
disclosing LTS: in ods a D’ component can be chosen non-deterministically. 
This observation is related to the existential quantification in the second clause 
of Definition 13. Both in Logs and Lpogs, there is only one possible next visible 
(Proponent) move. However, in ~pogs, the game involves choosing an appropriate 


set of atoms to be disclosed along sod transitions. For instance, when construct- 
ing a POGS bipartite bisimulation between terms new n in Anand A_newn inn 
from Example 8, we have two choices for the second step: 


(Hal; [f = A_.a]), a}, O)), ((0;[f > Anew n in n]), (0, 0))) 
((({a}; [f= A_al), {a}, {a})), ((0;[f > A_new n in nJ), (0, ))) 


The latter does not satisfy the constraint on the disclosed set, since the sets are 
not the same in the two configurations. The former leads to a stuck configuration: 
(([c’](A_.a)O, {a}), ({a},0)) cannot perform any Proponent move. Thus the two 
programs are not equivalent. 


4.3 Deciding pogs 


We now study how to decide when two POGS configurations are bisimilar. First, 
trees generated by Lpogs are of finite depth. 
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Lemma 11. Taking a POGS configuration G, any trace in Trpocs(G) is finite. 


This lemma is proven using a biorthogonal logical predicate, following the use of 
biorthogonality to prove strong normalization of Ay-calculus [23], the computa- 
tional metalanguage [18], and cut elimination for linear logic [8]. The proof can 
be found in [9]. 

Due to the non-determinism of atom generation in top, of function name 
generation in “7, and of name picking in Opponent transitions, the trees gen- 
erated by Lpocs are infinitely branching. To tame this infinite branching, we 
see the set of moves Moves and the set of configurations Confspocs of Lpocs as 
nominal sets [7] over atoms, function and continuation variables. So taking 7 a 
finite permutation over these sets, we write m X for the action of permutation 2 
over elements of nominal set X. The transition relation >pogs of Lpocs preserves 


this action of permutation, i.e., it is equivariant: if P ae Q then for all finite 


permutation 2, we have m * P Se mQ. 

One can then consider a variant £Lppocs of the POGS LTS which uses the 
same set of configurations as Lpocs, but whose transition relation —dpogs chooses 
fresh atoms and names deterministically. So —4pogs is then deterministic on op 
and Proponent actions, and finitely branching on Opponent actions. 

We remark at this point that the notion of bipartite bisimulation ~pogs intro- 
duced in Definition 13 is not suited for Lppogs. Indeed, it requires equality of 
actions in the bisimulation game, and also that configurations related by bisim- 
ulation have the same type. So we relax the definition of =pogs and work with 
ternary relations, adding a finite permutation of names and atoms in order to 
match the actions, rather than enforcing syntactic equality. 


Definition 12. A relation R C Confspocs X Confspocs Xx Perm is said to 
be valid when, for all (LS, (~ D)), J, T, (,D’)), 7) E€ R, we have T = 1 * S and 
D’ =z xD. 


Definition 13. A relaxed bipartite bisimulation is a pair of valid relations 
(RactRpas) respectively on active and passive configurations such that: 


— If (Py, P2, 0) E Rpas then for all Opponent moves 01,02, permutation n’ ex- 
tending n, and active POGS configurations Qı, Q2 satisfying 02 = 1’ * 04, 
Py = Qı and Po = Qo, we have (Q1, Q2, 2’) E€ Ract- 

— If (Pi, Pon) E Racr then there exists a permutation n’ extending n, two 
Proponent moves pi, p2 $-t. p2 = m’*p,, and two passive POGS configurations 


Qi, Q2 such that (Q1, Q2, 2’) E RPas, Pi = Qı and P2 3 Q2. 


We write =pogs for the greatest relaxed bipartite bisimulation over Lpogs. 
From the fact that —pogs is equivariant, we deduce that =pogs and ogs coincide. 
Since Lppocs generates finite Lassen trees, we deduce that the bisimulation game 


can be decided. 


Theorem 14. Taking two POGS configurations P,Q, we can decide if P ~pogs Q. 
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4.4 Relating the Transitions in OGS and POGS 


To relate the transitions in the OGS and in the POGS, we need to introduce 
some relations and operations on OGS configurations. 


Definition 15. Let G = (LS, (L;D)) and H = (L S, (L;D’)) be two OGS configu- 
rations. We write G Cp; H when D c D’. 


When G Cp; H, the configurations only differ by their set of disclosed atoms. 
Lemma 16. [f G Cp; H and G Sogs G’ then Hogs H’ and G’ Cp; H’. 
Lemma 17. Let P be an active prime configuration. We have the following: 


— if P Bogs P’, then P > pogs P’ 


š op op 
— if P —pogs P’, then P —ogsEpi P’. 


7 


In POGS, the disclosed set increases in op transitions as seen above, but not 
in p transitions. In a sense, disclosing in OGS is done only when needed, whereas 
in POGS, disclosing must be declared as soon as the atom is created. This is 


ensured by the additional condition supp(p) € D in the rule for 2, sd: 


Lemma 18. When P B pogs P’ with P active, we also have P mie P’. 


However, the converse does not always hold, specifically if an atom has been 


declared non-disclosed but still appears in the action p. Indeed, the transition 


(({c]a;L; 0), S, (L;0)) sg ((E: 0), S, (L; {a})) is valid for OGS, but has no coun- 


‘ ; a c(a) 
terpart in POGS, since (L; Ø} cannot make the transition a 
Using the following notion of limit (on OGS configurations), we can intuitively 
replace D by its minimal extension, preventing this phenomenon from happening. 


Definition 19. Given a configuration G = (L S, (L; D}), we define its limit as: 
: ; , t ; 
lim(G) + (LS, (L; |] (LAD) with Grogs (. .¢.’)). 
teTraces 


We have that G Cp; lim(G) and lim is idempotent. We call limit configurations 
those configurations that are a limit (or alternatively, that are their own limit). 
Being a limit configuration is preserved by moves but not necessarily by op. 


Lemma 20. Let P be a limit configuration. If P ae P’, then P iss P’. 


For Opponent transitions, the situation is less simple since not all active 
OGS configurations are active POGS configurations. To circumvent that issue, 
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we reuse the tensor product from [12]. For two OGS configurations where at least 
one is passive, we define the tensor product, written &, as follows: 
(LS, D) @(,T,E) = (18 J, S 8 T, D 8 E) 
(S; y) 8 (Sy) = (SUS; y: y’) M; S; y) @ (S; y) = M; SUS y: y’) 


D'ALCD 


(L; D} 8 (L’;D’) = (LU L’; D U D’) when DAL’ CD’ 


The side conditions for the L and D components ensure that no shared atom is 
disclosed on one configuration but not the other. 

We can then describe an active OGS configuration as the tensor of two POGS 
configurations (where S = L): 


(M; S; y), (Ao F L; Ap), (L, D)) = (M; L), (Ao + 1), (L, D)) 8 ((L; y), (Ao + Ap), (L, D)) 
Finally, we have the following property for opponent transitions: 


Lemma 21. When Pas Q, we have P > ops QeP. 
When P Dogs G, we have P S pogs Q with G=QeP. 


5 Relating Bisimilarities in OGS and POGS 


In this section, we show that pogs can be used to characterize =ogs for the 
limit configurations introduced above. We rely for that on up-to techniques for 
bipartite bisimulation in OGS, which we introduce first. 


5.1 Up-to techniques for ~o,, 


The proofs in this section use the theory of compatible functions [27,25]. More 
details can be found in [9]. 


Definition 22 (Bipartite bisimulation up-to). Given a function f, a bipar- 
tite bisimulation up to f is a pair (RAct, RPas) such that: 


— If (G,G2) E Reas then for all Opponent moves o and Hy, Hz such that 
Gy, 2 ogs Hı and Gə Nees Hə, we have (H1, He) E f(Racr). 

— If (G1, @2) E€ Race then there exists a Proponent move p and (Hi, H2) € 
f(Rpas) such that Gy oss Hı and Ge oss Hp. 


We then define hide(Racr,Rpas) = (CpiRAct2pdi; EDiRPas2pi). Recall that 
we still require that hide(R4cr,Rpas) only contains pairs of configurations with 
the same disclosed set. The soundness of hide can be proved using Lemma 16. 


Lemma 23. hide is a sound up-to technique, i.e. if (Ract,Rpas) is a bisimula- 
tion up to hide, then (Ract, Rpas) C~ogs- 
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Given a pair of relations (R4¢;,Rpas) on active and passive OGS configura- 
tions respectively, we define the following functions: 


tensor(Ract,Rpas) = ( {(Gi 8 Go, Hı O Hy) s.t. (Gi, H1) € Race, (G2, H2) € Reas}, 


{(G1 ® G2, Hı ® Hə) s.t. (Gi, H1), (G2, H2) E€ Reas} ) 
split(Ract,Rpas) 2 ( {(Gi, Hi) s.t. (G1 8 Go, Hy @ Hy) E€ Racr}, 
{(G1, Hy) s.t. (G1 8 Go, Hı ® H2) E Rpas} ) 


Lemma 24. split(ogs) C~ogs- 


tensor is not a sound up-to technique. It is nevertheless useful to reason 
about POGS bipartite bisimilar configurations; see Theorem 30 below. 


5.2 Properties of the Limit (in OGS) 


Lemma 25 (Monotonicity). If G is passive and G ogs H, then there exists 
G’ such that G 8 G’ Cp; H. 


Lemma 25 shows that transitions can only increase the substitution and the store 
(corresponding to the G’ component), and the set of disclosed atoms (represented 
by the use of Cpi). More precisely, Cp; is required if some atoms from G are 
disclosed along the trace t, in which case new ones can appear in G’. 

Lemma 25 is language specific. It does not hold when the language allows 
the content of the store to be modified (like, e.g. in Auret). Additionally, LTSs 
enforcing some local restriction on the usage of function or continuation names 
usually have extra components that are modified along the transitions; we return 
to this point in Section 7. 

In a limit configuration (Definition 19), all atoms that may be disclosed at 
some point are disclosed. By Lemma 25, these atoms can be disclosed using a 
single trace. 


Lemma 26. Given a passive configuration G, there exists a trace t and a con- 
t 
figuration H such that G—ogs lim(G) ® H. 


The limit is also useful to relate transitions in OGS and in POGS as follows. 


Lemma 27. Take a POGS configuration P. 
If P is active and P>og5 Q, then lim(P) > pogs lim(Q). 
If P is passive and P >ogs QOP, then lim(P) —pogs lim(Q). 


All in all, we obtain that ogs is a congruence for lim. For R a relation over 
configurations, we write lim(R) for the set {(lim(G), lim(H)) | (G, H) € R}. 


Lemma 28. ~ogs is closed by computing the limit: lim(~ogs)C ~ogs- 


The case for passive configurations follows immediately from Lemmas 26 and 24. 


40 D. Hirschkoff et al. 


The property of the limit might make us think that the disclosure process 
of an atom could be decided statically, by annotating new syntactically. The 
following example shows that it is not the case: 


Abnew n,m in A_.if b then n else m 


Either n or m will be disclosed depending on the boolean b given by Opponent, 
but never both. So this term is indeed contextually equivalent to Ab.newn in A_.n. 


5.3 Correspondence Between ogs and ~pogs 


Theorem 29 (From ogs tO ~pogs). Consider two POGS configurations P and 
Q. If P ~ogs Q are both limit configurations, then P ~pogs Q. 


To reason about bisimilar POGS configurations, we use the closure of tensor, 
written tensor. Intuitively, tensor(R act) contains the pairs (G1 ® Go, Hı 9 Hy) 
with (G1, H1) E€ Racr, (Go, H2) E tensor(Rpgs), and tensor(Rpas) contains the 
pairs (G1 ® Go, Hı ® He) with (Gy, H1) E Rpas, (Go, H2) E tensor(R pas). 


Theorem 30 (From ~pogs tO ~ogs). Suppose R is a POGS bipartite bisimula- 
tion. Then tensor(R) is a OGS bipartite bisimulation up-to hiding. 


By Lemma 23, Theorem 30 means that if P ~pogs Q, then P ogs Q. 

The correspondence between ~ogs and ~pogs is restricted to prime configura- 
tions aS ~pog, Can only relate those. Having the additional conditions of config- 
urations being limits is enough for our decidability result. 


6 Related Work 


The y-calculus was introduced in [24], together with logical relations to rea- 
son over contextual equivalence for this language. These logical relations use a 
Kripke-style definition, worlds being defined as spans of atoms to keep track of 
the disclosed atoms, similar to the permutation we use in our relaxed bipartite 
bisimulations. They capture contextual equivalence for programs of first order 
type, but are an incomplete technique for higher-order programs. This entails 
a decidability result for the first-order fragment of the v-calculus, since logical 
relations only quantify over finite objects at first-order types. 

Categorical models of the y-calculus were provided in [29,30], using a repre- 
sentation of name creation via a strong monad. Two examples of such models 
were given: (i) the functor category Set! with J the category of finite sets and in- 
jection; (ii) the category BG of continuous G-sets, with G the topological group 
of automorphisms over N. None of these models are fully-abstract, since they 
distinguish new n in Ax.x =n from Ax.false. 

These models were later refined using nominal sets [7], so that types are 
interpreted via Fraenkel-Mostowski sets [28] or domains [14]. Both of these works 
are continuation models; they might be used to provide a semantics for the Auv- 
calculus studied in this paper, a direction we wish to explore in future work. Such 
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use of continuations was justified in [28] to provide a model for an extension of 
the v-calculus with recursion. More recently, proof-relevant logical relations were 
introduced to deal with recursion in the presence of name generation [4]. 

In [26], a model of the y-calculus is given in quasi-Borel spaces, showing 
a correspondence between random sampling and fresh name generation. This 
model is shown to be fully-abstract for terms of first-order types. 

In [5], environmental bisimulations for the v-calculus are defined and shown 
to be fully abstract. Nevertheless, it does not seem possible to extract a decision 
procedure from that result, since environmental bisimulations are played over a 
higher-order LTS, that is, an LTS whose actions contain A-terms. So this LTS is 
infinitely branching at higher-order types. 

Eager normal-form bisimulations have been introduced by Lassen for the call- 
by-value A-calculus [16] and Ay-calculus. In [31], a notion of bisimulation similar 
tO ogs is introduced and shown to be fully abstract for an untyped version of 
Are. Compared to the standard notion of eager normal form bisimulations, the 
configurations in the bisimulations in [31] contain an environment similar to the 
environment component y of the OGS LTS in Section 3. 

In [1], a fully-abstract game model is provided for the y-calculus. However, 
this model requires an extensional collapse, that is not directly computable at 
higher-order type. So that model could only be used to prove the decidability of 
contextual equivalence for terms of first-order types. Enforcing a well-bracketed 
and visible behavior for Opponent in the OGS model, we believe that our trace 
model would coincide with the intentional game model of [1]. Nominal game 
semantics was developed for languages with nominal references and exceptions 
in [32]. In that setting, algorithmic presentations of game semantics make it 
possible to provide a classification of decidability of call-by-value languages with 
(bounded) integer references [19], and ground references [21]. In this setting, 
the undecidability of contextual equivalence originates from the use of integer 
references by Proponent. A detailed survey on the literature on contextual equiv- 
alence for the v-calculus is available in [33]. 


7 Conclusion 


To decide the contextual equivalence between two Auv typed terms M and N 
with contexts in the Auyes-calculus, we first construct the corresponding initial 
configurations, and we can decide by Thm. 14 if they are POGS-bisimilar. This 
decidability result comes from the fact that the POGS LTS generates finite trees. 

Then, we prove in Thm. 29 and Thm. 30 that two initial active configura- 
tions are POGS-bisimilar iff they are OGS-bisimilar. This is possible because 
initial configurations are prime (they are active and y is empty) and are also 
limit configurations (their disclosed sets contain all the atoms of the store). In 
Thm. 7 and Lemma 10, we prove that M and N are contextually equivalent iff the 
corresponding initial configurations are OGS-bisimilar, which yields decidability. 

We now examine the obstacles that remain to prove the decidability of con- 
textual equivalence with contexts in the y-calculus. 
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First of all, in that setting, trace equivalence would not be fully-abstract 
anymore (Thm. 7). Indeed, without integer references, one cannot observe the 
sequentiality of calls and returns. So an extensional collapse would be necessary. 

Another obstacle is that in the absence of higher-order references, Oppo- 
nent must satisfy a condition of O-visibility [2], that corresponds to a local 
well-scoping discipline, for the function names it is allowed to call. Working in 
an intuitionistic type system, corresponding to the standard A-calculus without 
control operators, the call-and-return discipline of the interaction between Pro- 
ponent and Opponent has to be well-bracketed. These two conditions, namely 
O-visibility and well-bracketing, can be enforced operationally [13] in the LTS, 
by keeping track of part of the history of the interaction. However the reduc- 
tion of ~ogs tO ~pogs is not possible anymore in that setting. Indeed, the limit 
over-approximates the set of atoms that can be tested. This can be seen when 
comparing the programs 


new n in let_= y(Az.z=a)inn and newn in let_= y(Az.false) inn 


Assuming n is immediately disclosed makes it possible to distinguish the two 
programs. Because the local conditions of well-bracketing or visibility would pre- 
vent Opponent from playing some actions, Opponent could perform irreversible 
changes that would invalidate Lemma 25. This would make =pogs incomplete. 

To handle this difficulty, we could try and use Kripke eager normal-form 
bisimulation [11], using a structure for worlds richer than just a set of atoms. 

Finally, in absence of full ground references, that can store locations, atoms 
played by Opponent would also follow a local well-scoping discipline, but the 
discriminatory power over Player atoms would also be restricted [20]. In such a 
setting, the same difficulties as with well-bracketing and O-visibility would arise, 
and a more complex extensional collapse would be needed. 
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Abstract. Behavioural distances measure the deviation between states 
in quantitative systems, such as probabilistic or weighted systems. There 
is growing interest in generic approaches to behavioural distances. In 
particular, coalgebraic methods capture variations in the system type (non- 
deterministic, probabilistic, game-based etc.), and the notion of quantale 
abstracts over the actual values distances take, thus covering, e.g., two- 
valued equivalences, (pseudo) metrics, and probabilistic (pseudo) metrics. 
Coalgebraic behavioural distances have been based either on liftings 
of Set-functors to categories of metric spaces, or on lax extensions of 
Set-functors to categories of quantitative relations. Every lax extension 
induces a functor lifting but not every lifting comes from a lax extension. 
It was shown recently that every lax extension is Kantorovich, i.e. induced 
by a suitable choice of monotone predicate liftings, implying via a quanti- 
tative coalgebraic Hennessy-Milner theorem that behavioural distances 
induced by lax extensions can be characterized by quantitative modal 
logics. Here, we essentially show the same in the more general setting of 
behavioural distances induced by functor liftings. In particular, we show 
that every functor lifting, and indeed every functor on (quantale-valued) 
metric spaces, that preserves isometries is Kantorovich, so that the in- 
duced behavioural distance (on systems of suitably restricted branching 
degree) can be characterized by a quantitative modal logic. 


1 Introduction 


Qualitative transition systems, such as standard labelled transition systems, 
are typically compared under two-valued notions of behavioural equivalence, 


* Funded by the Deutsche Forschungsgemeinschaft (DFG, German Research Founda- 
tion) — project number 501369690. 

** Funded by The Center for Research and Development in Mathematics and Appli- 
cations (CIDMA) through the Portuguese Foundation for Science and Technology 
(FCT) — project numbers UIDB/04106/2020 and UIDP/04106/2020. 

*** Funded by the Deutsche Forschungsgemeinschaft (DFG, German Research Founda- 
tion) — project number 259234802. 

İt Funded by the Deutsche Forschungsgemeinschaft (DFG, German Research Founda- 
tion) — project number 434050016. 


© The Author(s) 2023 
O. Kupferman and P. Sobocinski (Eds.): FoSSaCS 2023, LNCS 13992, pp. 46-67, 2023. 
https: //doi.org/10.1007/978-3-031-30829-1_3 


Kantorovich Functors and Characteristic Logics for Behavioural Distances 47 


such as Park-Milner bisimilarity. For quantitative systems, such as probabilistic, 
weighted, or metric transition systems, notions of behavioural distance allow 
for a more fine-grained comparison, in particular give a numerical measure 
of the deviation between inequivalent states, instead of just flagging them as 
inequivalent [14,6,2,24]. 

The variation found in the mentioned system types calls for unifying methods, 
and correspondingly has given rise to generic notions of behavioural distance 
based on universal coalgebra [33], a framework for state-based systems in which 
the transition type of systems is encapsulated as an (endo-)functor on a suitable 
base category. Coalgebraic behavioural distances have been defined on the one 
hand using liftings of given set functors to the category of metric spaces [5], and 
on the other hand using laz extensions, i.e. extensions of set functors to categories 
of quantitative relations [13,38]. Since every lax extension induces a functor lifting 
in a straightforward way [38] but on the other hand not every functor lifting is 
induced by a lax extension, the approach via liftings is more widely applicable. 
On the other hand, it has been shown that every lax extension is Kantorovich, i.e. 
induced by a suitable choice of modalities, modelled as predicate liftings in the 
spirit of coalgebraic logic [28,34]. Using quantitative coalgebraic Hennessy-Milner 
theorems, it follows that under expected conditions on the functor and the lax 
extension, behavioural distance coincides with logical distance. 

Roughly speaking, our main contribution in the present paper is to show that 
the same holds for functor liftings and their induced behavioural distances. In 
more detail, we have the following (cf. Figure 1 for a graphical summary): 


— Every lifting of a set functor is topological, i.e. induced by a generalized form 
of predicate liftings in which one may need to switch to non-standard spaces 
of truth values for the predicates involved (Theorem 3.1). 

— Functor liftings that preserve isometries are Kantorovich, i.e. induced by 
(possibly polyadic) predicate liftings. (Here, we understand predicate liftings 
as involving only the standard space of truth values — that is, the unit interval, 
in the case of 1-bounded metric spaces). In fact, preservation of isometries is 
also necessary (Theorem 3.9). 

— Lastly, we detach the technical development from set functors, and show 
that a functor on (pseudo)metric spaces is Kantorovich, in the sense that 
the distance of its elements can be characterized by predicate liftings, iff it 
preserves isometries (Theorem 5.3). 


By a recent coalgebraic quantitative Hennessy-Milner theorem that fits this level 
of generality [12], it follows that given a functor F on (pseudo<)metric spaces 
that preserves isometries, acts non-expansively on morphisms, and admits a dense 
finitary subfunctor, behavioural distance can be characterized by quantitative 
modal logic (Corollary 5.10). In additional results, we further clarify the relation- 
ship between functor liftings and lax extensions, and in particular characterize 
the functor liftings that are induced by lax extensions (Theorem 3.18). 

Indeed, we conduct the main technical development not only in coalgebraic 
generality, but also parametric in a quantale, hence abstracting both over distances 
and over truth values. One benefit of this generality is that our results cover the 
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two-valued case, captured by the two-element quantale. In particular, one instance 
of our results is the fact that every finitary set functor has a separating set of 
finitary predicate liftings, and hence admits a modal logic having the Hennessy- 
Milner property [34]. Moreover, we do not restrict to symmetric distances, and 
hence cover also simulation preorders and simulation distances [24]. 


monotone 
predicate liftings 


> predicate liftings 


Theorem 3.9, 


[38], Corollary 3.17 Theorem 3.1 


[38] [5], Theorem sal 


Theorem 3.18 
lax extensions functor liftings 
Theorem 3.16 


Fig. 1. Summary of connections (a rigorous categorical interpretation of these connec- 
tions involves a square of adjunctions (3)). 


Related Work Quantale-valued quantitative notions of bisimulation for functors 
that already live on generalized metric spaces (rather than being lifted from 
functors on sets) have been considered early on [40]. We have already mentioned 
previous work on coalgebraic behavioural metrics, for functors originally living 
on sets, via metric liftings [5] and via lax extensions [13,38]. Existing work that 
combines coalgebraic and quantalic generality and accommodates asymmetric 
distances, like the present work, has so far concentrated on establishing so-called 
van Benthem theorems, concerned with characterizing (coalgebraic) quantita- 
tive modal logics by bisimulation invariance [39]. There is a line of work on 
Kantorovich-type coinductive predicates at the level of generality of topological 
categories [21,22] (phrased in fibrational terminology), with results including a 
game characterization and expressive logics for coinductive predicates already 
assumed to be Kantorovich in a general sense, i.e. induced by variants of predi- 
cate liftings. In this work, the condition of preserving isometries already shows 
up as fiberedness, and indeed the condition already appears in work on metric 
liftings [5]. As mentioned in the above discussion, we complement existing work 
on quantitative coalgebraic Hennessy-Milner theorems [23,38,12] by establishing 
the Kantorovich property they assume. 


2 Preliminaries 


We will need a fair amount of material on coalgebra, quantales and quantale- 
enriched categories (generalizing metric spaces), predicate liftings, and lax exten- 
sion, which we recall in the sequel. New material starts in Section 3. 


2.1 Categories and Coalgebras 


We assume basic familiarity with category theory [1,4]. More specifically, we 
make extensive use of topological categories [1] and quantale-enriched categories 
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[26,20,36]. Recall that a coalgebra for a functor F: C > C consists of an object X 
of C, thought of as an object of states, and a morphism a: X — FX, thought 
of as assigning structured collections (sets, distributions, etc.) of successors to 
states. A coalgebra morphism from (X, a) to (Y, 8) isa morphism f € C(X,Y) 
such that 8- f = Ff - a. We will focus on concrete categories over Set, that is 
categories that come equipped with a faithful functor |—|: C — Set, which allows 
speaking about individual states as elements of |X|. A lifting of an endofunctor 
F: Set — Set to C is an endofunctor F: C > C such that |-|: F =F- |-|. 


Example 2.1. Some functors of interest for coalgebraic modelling are as follows. 


1. The finite powerset functor Pu: Set — Set maps each set to its finite 
powerset, and for a map g, P.,(g) takes direct images under g. Given a set A (of 
labels), coalgebras for the the functor Pu (A x —) are finitely branching A-labelled 
transition systems. 

2. The finite distribution functor Du: Set > Set maps a set X to the set 
D.,X of finitely supported probability distributions on X. Given a finite set A, 
coalgebras for the functor (1 + D,,)4, are probabilistic transition systems [25,10]. 


Finitary functors are those which are determined by their action on finite sets. 

More precisely, a functor is finitary if for every set X and every r € FX, there is 

a finite subset inclusion m: A — X such that x is in the image of Fm. 
Standard examples of non-finitary functors are as follows. 


3. The (unbounded) powerset functor P: Set — Set. 

4. The neighbourhood functor N: Set — Set sends a set X to the set PPX, 
and a function f: X —> Y to the function Nf: NX — NY that assigns to every 
element r € NX the set {B CY | f-'B €r}. 


2.2 Quantales and Quantale-Enriched Categories 


A central notion of our development is that of a quantale, which will serve 
as a parameter determining the range of truth values and distances. A quan- 
tale (V,®,k), more precisely a commutative and unital quantale, is a complete 
lattice V — with joins and meets denoted by \V and A, respectively — that carries 
the structure of a commutative monoid with tensor ® and unit k, such that 
for every u € VY, the map u®—: V — VY preserves suprema. This entails that 
every u®— has a right adjoint hom(u, —): V + V, characterized by the property 
u®v<w 4= v < hom(u,w). We denote by T and L the greatest and the 
least element of a quantale, respectively. A quantale is non-trivial if L Æ T, 
and integral if T =k. 


Example 2.2. 1. Every frame (i.e. a complete lattice in which binary meets 
distribute over infinite joins) is a quantale with & = A and k = T. In particular, 
every finite distributive lattice is a quantale, prominently 2, the two-element 
lattice {1, T} and 1, the trivial quantale. 

2. Every left continuous t-norm [3] defines a quantale on the unit interval 
equipped with its natural order. 
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3. The previous clause (up to isomorphism) further specializes as follows: 

(a) The quantale [0, co], = ([0,co],inf,+,0) of non-negative real numbers 
with infinity, ordered by the greater or equal relation, and with tensor 
given by addition. 

(b) The quantale [0, co] max = ([0, co], inf, max, 0) of non-negative real numbers 
with infinity, ordered by the greater or equal relation, and with tensor 
given by maximum. 

(c) The quantale [0, 1] = ([0, 1], inf, @,0) of the unit interval, ordered by the 
greater or equal order, and with tensor given by truncated addition. 

(Note that the quantalic order here is dual to the standard numeric order). 

4. Every commutative monoid (M, -,e) generates a quantale on PM (the free 
quantale over M) w.r.t. set inclusion and with the tensor A & B = {a-b|aeé 
A and b € B}, for all A,B C M. The unit of this multiplication is the set {e}. 


A Y-category is pair (X,a) consisting of a set X anda mapa: X x X > V 
such that k < a(x,x) and a(z, y) 8 a(y, z) < a(x, z) for all x,y,z € X. We view 
a as a (not necessarily symmetric) distance function, noting however that objects 
with ‘greater’ distance should be seen as being closer together. A V-category 
(X,a) is symmetric if a(x,y) = a(y,x) for all x,y € X. Every V-category 
(X,a) carries a natural order defined by x < y whenever k < a(x,y), which 
induces a faithful functor Y-Cat — Ord. A )-category is separated if its natural 
order is antisymmetric. A V-functor f: (X,a) > (Y,b) isa map f: X > Y 
such that, for all x,y € X, a(x, y) < b(f (x), f(y)). V-categories and V-functors 
form the category V-Cat, and we denote by V-Catsym the full subcategory of 
y-Cat determined by the symmetric V-categories and by V-Catsym sep the full 
subcategory of V-Catsym determined by the separated symmetric -categories. 


Example 2.3. 1. The Category 1-Cat is equivalent to the category Set of sets 
and functions. 
2. The category 2-Cat is equivalent to the category Ord of preordered sets 
and monotone maps. 
3. Metric, ultrametric and bounded metric spaces à la Lawvere [26] can be 
seen as quantale-enriched categories: 
(a) The category [0, 00]-Cat is equivalent to the category GMet of generalized 
metric spaces and non-expansive maps. 
(b) The category [0, co|max-Cat is equivalent to the category GUMet of gen- 
eralized ultrametric spaces and non-expansive maps. 
(c) The category [0, 1]ẹ-Cat is equivalent to the category BHMet of bounded- 
by-1 hemimetric spaces and non-expansive maps. 
4. Categories enriched in a free quantale PM on a monoid M can be inter- 
preted as sets equipped with a non-deterministic M-valued structure. 


We focus on VY = 2 and V = (0, 1]~, which we will use to capture classical (qualita- 
tive) and metric (quantitative) aspects of system behaviour, respectively.. Table 1 
provides some instances of generic quantale-based concepts (either introduced 
above or to be introduced presently) in these two cases, for further reference. 
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General V [Qualitative (V = 2) [Quantitative (V = [0, l]e) 
V-category preorder bounded-by-1 hemimetric space 
symmetric V-category |equivalence bounded-by-1 pseudometric space 
Y-functor monotone map non-expansive map 

initial V-functor order-reflecting isometry 


monotone map 


Table 1. Y-categorical notions in the qualitative and the quantitative setting. The 
prefix ‘pseudo’ refers to absence of separatedness, and the prefix ‘hemi’ additionally 
indicates absence of symmetry. 


A Y-category (X,a) is discrete if a = 1x, and indiscrete if a(x,y) = T 
for all x,y € X. The dual of (X,a) is the V-category (X,a)°? = (X,a°) given 
by a°(a,y) = a(y,x). Given a set X and a structured cone, i.e. a family 
(fi: X > |(X;,a;)|)ier of maps into Y-categories (Xj, a;), the initial structure 
a: X x X + V on X is defined by a(x, y) = Aez ail fi(x), fi(y)), for all z, y € X. 
A cone ((X,a) > (Xi, ai))iez is said to be initial (w.r.t. the forgetful functor 
|-|: V-Cat — Set) if a is the initial structure w.r.t. the structured cone (X > 
|(X;, ai)|)icz; a V-functor is initial if it forms a singleton initial cone. For every V- 
category (X, a) and every set 5, the S-power (X,a)° is the V-category consisting 
of the set of all functions from S to X, equipped with the V-category structure 
[-, —-] given by [f,9] = Azex a(f (x), 9(x)), for all f,g: S + X. By equipping 
its hom-sets with the substructure of the appropriate power, the category V-Cat 
becames V-Cat-enriched and, hence, also Ord-enriched w.r.t to the corresponding 
natural order of V-categories. We say that an endofunctor on V-Cat is locally 
monotone if it preserves this preorder. 


Remark 2.4. Let us briefly outline the connections between Y-Cat and V-Catsym, 
which for real-valued V correspond to hemimetric and pseudometric spaces, 
respectively. By virtue of the above construction of initial structures, the categories 
y-Cat and V-Catsym are topological over Set [1]; in particular, both categories are 
complete and cocomplete. Moreover, V-Catsym is a (reflective and) coreflective 
full subcategory of V-Cat. The coreflector (—),: V-Cat + V-Catsym is identity on 
morphisms and sends every (X,a) to its symmetrization, the V-category (X, a.) 
where as(x, y) = a(x, y) A a(y, x) (keep in mind that in Example 2.2.3, the order 
is the dual of the numeric order). 


Finally, we note that for every quantale V, (V, hom) is a Y-category, which for 
simplicity we also denote by V. The following result records two fundamental 
properties of the V-category V. 


Proposition 2.5. The V-category V = (V,hom) is injective w.r.t. initial mor- 
phisms, and for every V-category X, the cone (f: X > V)f¢ is initial. 
2.3 Predicate Liftings 


Given a cardinal « and a V-category X, a k-ary X -valued predicate lifting 
for a functor F: Y-Cat > V-Cat is a natural transformation À: Y-Cat(—, X") > 
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V-Cat(F—, X). When Y is the trivial quantale, we identify an X-valued predi- 
cate lifting with a natural transformation \: Set(—, X“) — Set(F—, X) via the 
isomorphism Set = 1-Cat. In this case, we are primarily interested in predicate 
liftings valued in the underlying set of another quantale, and we say that such 
predicate liftings are monotone if each of its components is a monotone map 
w.r.t. the pointwise order induced by that quantale. 


Remark 2.6. By the Yoneda lemma, every k-ary X-valued predicate lifting for a 
functor F: Y-Cat + V-Cat is determined by a Y-functor FX" — X. In particular, 
the collection of all X-valued «-ary predicate liftings for a functor is a set. 


Example 2.7. 1. The Kripke semantics of the standard diamond modality Q 
of the modal logic K is induced (in a way recalled in Section 5) by the unary 
predicate lifting 0x(A) = {B C X | AN B # Ø} for the (finite) powerset functor 
(modulo the isomorphism PX = Set(X, 2)). 

2. Computing the expected value for a given [0, 1]-valued function with respect 
to each probability distribution defines a unary [0, 1|-valued predicate lifting for 
the functor D,,: Set — Set, which we denote by E. 


2.4 Quantale-Enriched Relations and Lax Extensions 


The structure of a quantale-enriched category is a particular kind of “enriched 
relation”. For a quantale VY and sets X and Y, a V-relation from X to Y is 
a map r: X x Y > V; we then write r: X + Y. As for ordinary relations, a 


pair of Y-relations r: X + Y ands: Y -+ Z can be composed via “matrix 
multiplication”: (s-r)(z,z) = Vycy T(z, y) 8 s(y, 2) for x € X, z € Z. With 
this composition, the collection of all sets and V-relations between them form 


a category, denoted V-Rel. The identity morphism on a set X is the V-relation 
lx: X + X that sends every diagonal element to k and all the others to L. 


Example 2.8. The category of 2-relations is the usual category Rel of sets and 
relations. Quantitative or “fuzzy” relations are usually defined as [0, 1]ẹ-relations 


(e.g. [38,5]). 

The category V-Rel comes with an involution (—)°: V-Rel°? — V-Rel that maps 
objects identically and sends a V-relation r: X — Y tothe V-relation r°: Y + 
X given by r°(y,2) = r(x, y), the converse of r. Moreover, by equipping its 
hom-sets with the pointwise order induced by V, V-Rel is made into a quantaloid 
(e.g. [31]), i.e. enriched over complete join semilattices. This entails that there 
is an optimal way of extending a V-relation r: X = Y along a V-relation 
s: X > Z: the (Kan) extension of r along s is the V-relation r e s: Z + Y 
defined by the property t-s <r = t<res,forallt:Z = Y. 

_ A lax extension l of a functor F: Set — Set to V-Rel is a lax functor 
F: Y-Rel — V-Rel that agrees with F on sets and whose action on functions 


1 Extensions of Set-functors to Rel are also commonly referred to as “relators”, “rela- 
tional liftings” or “lax relational liftings”. 
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is compatible with F. To make the latter requirement precise, we note that a 
function is interpreted as the V-relation that sends every element of its graph to 
k and all the others to L; then, a lax extension of F to V-Rel, or simply a lax 
extension, isa map (r: X + Y)—> (Fr: FX > FY) such that: 


(L1) r<r = Fr < Fr’, 
(L2) Fs - Fr < F(s Tr), 
(L3) Ff <Ff and (Ff)? < F(f?), 


for alr: X + Y,s:Y + Zand f:X YY. 


Example 2.9. The generalized “lower-half” Egli-Milner order between powersets, 
which for a relation r: X => Y is defined as the relation Pr: PX = PY given 


by 


A(Pr)B <> Ya € A.Ib € B.ar b, 


defines a lax extension of the powerset functor P: Set — Set to Rel. Similarly, 
the generalized “upper-half” and the generalized Egli-Milner order define lax 
extensions of the powerset functor to Rel. 


Lax extensions are deeply connected with monotone predicate liftings. To realize 
this, it is convenient to think of the X-component of a K-ary predicate lifting as 
a map of type V-Rel(«, X) > V-Rel(1, FX) [16]. ? 


Definition 2.10. A «-ary predicate lifting A for a functor F: Set — Set is 
induced by a lax extension F: V-Rel— V-Rel if there is a V-relation t: 1 + Fr 


such that A(f) = Ff -t, for every V-relation f: k + X. 


Example 2.11. By interpreting a subset of a set X as a relation from 1 to X, the 
unary predicate lifting } (see Example 2.7) for the powerset functor P: Set — Set 
is induced by the lax extension of Example 2.9; indeed, it is determined by the 
map 1 > P1 that selects the set 1. 


Remark 2.12. Every predicate lifting induced by a lax extension is monotone. 


Lax extensions have been instrumental in coalgebraic notions of behavioural 
distance (e.g. [13,38,39]), and the notion of Kantorovich extension has been 
crucial to connect such notions with coalgebraic modal logic [7]. 


Definition 2.13. Let F: Set — Set be a functor, and A a class of monotone 
predicate liftings for F. The Kantorovich lax extension of F w.r.t. A is the lax 
extension F4 = A NEA Fà, where for every V-relation r: X ++ Y, the V-relation 


Far: FX =» FY given by Fèr = Ng: r + x Ag) = AQ). 
? Note that Goncharov et. al. consider as their main point of view the dual of the 


one considered here [16, Proposition 4.2]. Our choice prevents a harmless mismatch 
between the Kantorovich liftings and Kantorovich extensions in Theorem 3.9. 
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Example 2.14. The Kantorovich extension of the powerset functor P: Set — Set 
to Rel w.r.t the © predicate lifting coincides with the extension given by the 
“lower-half” of the Egli-Milner order (Example 2.9). 


As suggested by the previous example, the Kantorovich extension leads to a 
representation theorem that plays an important role in Section 3.2. 


Theorem 2.15 ([16]). Let F: V-Rel > V-Rel be a lax extension, and let A be 
the class of all predicate liftings induced by F. Then, F = F4. 


3 Topological Liftings 


It is well-known that every lax extension F: V-Rel + V-Rel of a functor F: Set > 
Set gives rise to a lifting (which we denote by the same symbol) of F to Y-Cat 
(for instance, see [37]). By definition, liftings are completely determined by their 
action on objects. In particular, the lifting induced by a lax extension 
F: V-Cat + V-Cat sends a V- category (X,a) to the V-category (FX, Fa). Of 
course, it does not make sense to talk about functor liftings to the category V-Cat 
when Y is trivial, hence we assume from now on that V is non-trivial. 
Predicate liftings also induce functor liftings, via a simple construction avail- 
able on all topological categories that goes back, at least, to work in categorical 
duality theory [11,29]: To lift a functor G: A > Y along a topological functor 
|-|: BY, it is enough to give, for every object A in A, a structured cone 


C(A) = (GA È |B])a,B (1) 


so that, for every h in C(A) and every f: A’ > A, the composite h - Gf belongs 
to the cone C(A’). Then, for an object A in A, one defines G’A by equipping GA 
with the initial structure w.r.t. the structured cone (1). It is easy to see that the 
assignment X ++ G! X indeed defines a functor G7: A > B such that |-|- G7 = G. 
This technique has been previously applied in the context of codensity liftings 
[21,22,35,19] and Kantorovich liftings [5]. We apply this to our situation as follows. 
Given a functor F: Set — Set, take G = F- |-|; then a lifting of F to V-Cat can 
be specified by a class of natural transformations 


à: V-Cat(—, A,) — Set(F]—|, |By|), (2) 


(which may be thought of as generalized predicate liftings, in that they lift A)- 
valued predicates to B)-valued ones). Namely, given a V-category X, we consider 
the structured cone consisting of all maps 


AF): F|X| —> |Ba| 


where À ranges over the given natural transformations and f over all Y-functors 
X — A). As described above, we obtain a V-category FIX by equipping F|X| 
with the initial structure w.r.t. this cone. We call functor liftings constructed in 
this way topological. Indeed, it turns out that every functor lifting is topological, 
even when one restricts B) in (2) to be the V-category (V, hom): 
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Theorem 3.1. Every lifting of a Set-functor to V-Cat is topological w.r.t. a class 
of natural transformations A: V-Cat(—, Ax) — Set(F|—|, |V|). 


In examples, we usually construct a generalized predicate lifting (2) from a K-ary 
predicate lifting A for the set functor F: Choose a pair (A, B) of Y-categories over 
the sets V“ and V, respectively (the above theorem allows restricting to B = V, 
and the examples we present are of this kind). We can then precompose A with 
the inclusion natural transformation V-Cat(—, A) —> Set(|—|,|A|), obtaining a 
natural transformation A&B) : y-Cat(—, A) > Set(F|—|,|B|) that applies À to 
maps underlying Y-functors with codomain A. 


Example 3.2. 1. The discrete lifting of the identity functor Id: Set — Set, 
which sends every V-category to the discrete V-category with the same underlying 
set, can be obtained as a topological lifting constructed from the identity V-valued 
predicate lifting for Id by choosing A to be the V-category consisting of the set V 
equipped with the indiscrete structure. 

2. The lifting of the identity functor Id: Set — Set to Ord that computes the 
smallest equivalence relation that contains a given preorder can be obtained as a 
topological lifting constructed from the 2-valued identity predicate lifting for Id 
by choosing A to be the discrete preordered set with two elements. 

3. It is well-known that the total variation distance between finite distributions 
u,v on a set X coincides with the Kantorovich distance on the discrete bounded- 
by-1 metric space X (e.g. [15]); that is, dTV (u,v) = Vi: x01) Ex(f)(v) © 
ix(f)(u) (see Example 2.7(2)). Therefore, the total variation distance defines a 
lifting of the finite distribution functor to BHMet that can be obtained as the 
topological lifting constructed from the predicate lifting E by choosing A to be 
the indiscrete space [0,1]. This example is closely related to the first one. Indeed, 
this lifting is the composite of the Kantorovich lifting of the finite distribution 
functor to BHMet (see Example 3.5) and the discrete lifting of the identity functor 
to BHMet. By Theorem 3.9 below, precomposing functor liftings with the discrete 
lifting of the identity functor can be used to derive non-Kantorovich liftings. 


Remark 3.8. Theorem 3.1 can be fine-tuned to show that the discrete lifting 
F2: Ord —> Ord of a finitary functor F: Set > Set is a topological lifting con- 
structed from a set A of finitary 2-valued predicate liftings for F. Hence, for every 
set X, considered as a discrete preordered set, we have that the cone of all maps 
A(f): F4(X,1x) > 2, for «-ary predicate liftings à € A and maps X > 2", is 
initial. Thus, as F“(X,1x) is antisymmetric, this cone is mono. In this sense, our 
results subsume the result that every finitary Set-functor admits a separating set 
of finitary predicate liftings [34]. 


3.1 Kantorovich Liftings 


For our present purposes, we are primarily interested in topological liftings induced 
by predicate liftings in the standard sense, i.e. the natural transformations (2) are 
of the shape à: V-Cat(—, V) —> Set(F|-|, |V|), and thus employ V, equipped 
with its standard V-category structure, as the object of truth values throughout. 
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In particular, this format is needed to use predicate liftings as modalities in 
existing frameworks for quantitative coalgebraic logic (Section 5). Many functor 
liftings considered in work on coalgebraic behavioural distance can be understood 
as topological liftings constructed in this way (e.g. [5,22,38,39,12]). To simplify 
notation, in the sequel we often omit the forgetful functor to Set. 


Definition 3.4. Let F: Set — Set be a functor and A a class of V-valued 
predicate liftings for F. The Kantorovich lifting of F w.r.t. A is the topological 
lifting F4: V-Cat — V-Cat that sends a V-category X to the V-category (FX, F“a), 
where Fa denotes the initial structure on FX w.r.t. the structured cone of all 
functions 


AF): FIXI — V| 


where \ € A is K-ary and f: (X,a) > V" is a V-functor. Generally, a lifting 
F: V-Cat => V-Cat of F is Kantorovich if F = F^ some class A of predicate 
liftings for F. 


Example 3.5. As the name suggests, the prototypical example of a Kantorovich 
lifting is given by the (non-symmetric) Kantorovich distance between finite 
distributions, which arises as the Kantorovich lifting of the finite distribution 
functor on Set to the category BHMet w.r.t the predicate lifting E that computes 


F 


expected values, ie. D(X, a)(u, v) = V f: (x,4)-[0,1] Ex (f)(v) S Ex (f)(x). 


We go on to exploit the universal property of initial lifts of cones to characterize 
the liftings that are Kantorovich. In the following, fix a functor F: Set > Set and 
a quantale V. Consider the partially ordered conglomerate Pred(F) of classes of V- 
valued predicate liftings for F ordered by containment, i.e. A< A’ = = ADA’; 
and the partially ordered class Lift(F) of liftings of F to V-Cat ordered pointwise, 


i.e. F < F <> Fa < Fa, for every V-category (X,a). 


Definition 3.6. Let F: V-Cat > V-Cat be a lifting of F. A «-ary V-valued 
predicate lifting à for F is compatible with F if it restricts to a predicate 
lifting for F: 
V-Cat(—, V®) -ò> V-Cat(F—, V) 
+ = + 
Set(—, |V"]) = Set(F|—|, |V|) 


where the vertical arrows denote set inclusions — that is, if À lifts V-functorial 
predicates on X to V-functorial predicates on FX. The class of all predicate 
liftings compatible with F is denoted by P(F). 


Proposition 3.7. A K-ary V-valued predicate lifting A for F is compatible with F 
iff the map A(jyx)): F(|V*|) > |V| is a V-functor of type FV" > V. 


The Kantorovich lifting defines a universal construction: 


Theorem 3.8. Let F: Set — Set be a functor. Assigning to a class of predi- 
cate liftings for F the corresponding Kantorovich lifting yields a right adjoint 
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FO): Pred(F) — Lift(F) whose left adjoint P: Lift(F) + Pred(F) maps a lifting 


of F to the class P(F) of all V-valued predicate liftings for F that are compatible 
with the lifting. 
The following result shows that Kantorovich liftings are characterized by a 


pleasant property that is required in multiple results in the context of coalgebraic 
approaches to behavioural distance (e.g. [5,22,12,40]). 


Theorem 3.9. A lifting of a Set-functor to V-Cat is Kantorovich iff it preserves 
initial morphisms. 


Corollary 3.10. Every topological lifting of a functor F: Set > Set w.r.t. a class 
of natural transformations A: V-Cat(—, A) > Set(F—,|B)|) where each A, is 
injective in V-Cat w.r.t. initial morphisms is Kantorovich. 


Corollary 3.11. The composite of Kantorovich liftings is Kantorovich. 


Example 3.12. The characterization of Theorem 3.9 makes it easy to distinguish 
Kantorovich liftings. 


1. It is an elementary fact that every lifting induced by a lax extension pre- 
serves initial morphisms (e.g. [18, Proposition 2.16]). In particular, the Wasserstein 
lifting [5] is Kantorovich. 

2. The identity functor on Set has a lifting (—)°: V-Cat + V-Cat that sends 
every V-category to its dual. Clearly, this lifting preserves initial morphisms, and 
hence it is Kantorovich. Indeed, one can show that it is the Kantorovich lifting 
of the identity functor w.r.t. the set of V-valued predicate liftings determined by 
the representable V-functors V? > V. 

3. The functor (—)s: V-Cat + V-Catsym that symmetrizes V-categories gives 
rise to a lifting (—),: V-Cat —> V-Cat of the identity functor on Set. Clearly, this 
functor preserves initial morphisms, and hence it is Kantorovich. Indeed, one can 
show that it is the Kantorovich lifting of the identity functor w.r.t. the set of all 
y-valued predicate liftings determined by the representable V-functors Vs > V. 

4. The discrete lifting of the identity functor on Set to Y-Cat is not Kan- 
torovich, as it fails to preserve initial morphisms. 

5. The lifting of the identity functor on Set to V-Cat that sends a Y-category 
(X, a) to the V-category given by the final structure w.r.t. the structured cospan 
of identity maps |(X,a)| > X + |(X,a°)| is not Kantorovich. This lifting 
generalizes Example 3.2(2). 

6. The lifting of the finite distribution functor on Set to BHMet given by the 
Kantorovich distance is Kantorovich, while the lifting given by the total variation 
distance is not Kantorovich. 


3.2 Liftings Induced by Lax Extensions 


We show next that lax extensions, functor liftings, and predicate liftings are 
linked by adjunctions, and characterize the liftings induced by lax extensions. 
We begin by showing that the Kantorovich extension and the Kantorovich lifting 
are compatible. 
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Theorem 3.13. Let F: V- Cat + V-Cat be a lifting of a functor F: Set — Set 
induced by a lax extension F: V-Rel + V-Rel. If F: V-Rel + V-Rel is the 
Kantorovich extension w.r.t. a class A of predicate liftings, then the functor 
F: Y-Cat + V-Cat is the Kantorovich lifting of F: Set > Set w.r.t. A. 


Let Lax(F) denote the partially ordered class of lax extensions of a functor 
F: Set — Set to V-Rel ordered pointwise: 


F< P <> WreV-Rel. Fr < Fr; 


let Lift(F); denote the partially ordered subclass of Lift(F) consisting of the liftings 
that preserve initial morphisms, and let Pred(F)q denote the partially ordered 
subconglomerate of Pred(F) of monotone predicate liftings. Clearly, the operations 
of taking Kantorovich extensions FO): Pred(F)m > Lax(F), and inducing liftings 
from lax extensions |: Lax(F) — Lift(F), define monotone maps. Moreover, as we 
have seen in Theorem 3.9, the monotone map F‘~): Pred(F) — Lift(F) corestricts 
to Lift(F),. Therefore, our results so far tell us that lax extensions, liftings and 
predicate liftings are connected through a diagram of monotone maps 


Lax(F) ——> Lift(F), 


eet 


Pred(F)m —> Pred(F) 


which commutes if the left adjoint is ignored. In the sequel, we will see that 
every monotone map in this diagram is an adjoint. 4 particular, it might not 
be immediately obvious that the monotone map F ): Pred(F)m — Lax(F) is a 
right adjoint without first thinking in terms of Pehar liftings induced by lax 
extensions, because the obvious guess — taking the predicate liftings induced by 
a lax extension (Definition 2.10) — in general does not define a monotone map 
Lax(F) — Pred(F)m. The next example illustrates this as well as the fact that 
there are predicate liftings compatible with a functor lifting induced by a lax 
extension that are not induced by the lax extension. 


Example 3.14. The identity functor on Ord is the lifting induced by the identity 
functor on Rel as a lax extension of the identity functor on Set. The constant map 
into T is a monotone map 2 —> 2 and, hence, determines a predicate lifting that is 
compatible with the identity functor on Ord. It is easy to see that this predicate 
lifting is induced by the largest extension of the identity functor, however, it is 
not induced by the identity functor on Rel [16, Example 3.12]. 


It should also be noted that the predicate liftings compatible with a functor 
lifting that preserves initial morphisms are not necessarily monotone. That is, 
the map P: Lift(F)ı + Pred(F) does not necessarily corestrict to Pred(F)m 


Example 3.15. Consider the lifting (—)°: Ord — Ord of the identity functor on 
Set that sends each preordered set to its dual. Then, the predicate lifting for (—)° 
determined by the V-functor hom(—,0): (2, hom)°? — (2, hom) is not monotone 
since it sends the constant map 0: 1 — 2 to the constant map 1: 1 > 2. 
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Accordingly, we need to “filter the monotone predicate liftings” first. This oper- 
ation trivially defines the left adjoint M: Pred(F) — Pred(F)m of the inclusion 
map Pred(F)m <> Pred(F). 


Theorem 3.16. Let F: Set — Set be a functor. The monotone map 
l: Lax(F) — Lift(F)) is order-reflecting and right adjoint to the monotone map 
FMP(—) ; Lift(F), — Lax(F). 


Corollary 3.17. Let F: Set —> Set be a functor. The monotone map 
FC): Pred(F)m — Lax(F) is right adjoint to the order-reflecting monotone map 
MPI: Lax(F) — Pred(F)m. 


Therefore, the interplay between lax extensions, liftings and predicate liftings is 
captured by the diagram 


FMP(-) 
es 


wei( Jeo (tp (3) 


Pred(F)m ae Pred(F) 


Be 
M 


which commutes when only the right adjoints or only the left adjoints are 
considered. Finally, we characterize the liftings induced by lax extensions. 


Theorem 3.18. A lifting F of a Set-functor F to V-Cat is induced by a lax 
extension of F to V-Rel iff F preserves initial morphisms and is locally monotone. 


y-enriched lax extensions have proved to be crucial to deduce quantitative van 
Benthem and Hennessy-Milner theorems [38,39]. We recall that a lax extension 
of a functor F: Set — Set to V-Rel is V-enriched [39,16] if, for all u € V, 
u@lex < F(u @ 1x); where u r denotes the V-relation “r scaled by u”, that 
is, (u 8 r)(x,y) =u Q r(x, y). 


aA 


Theorem 3.19. A lifting F of a Set-functor F to V-Cat is induced by a V- 
enriched lax extension of F to V-Rel iff F preserves initial morphisms and is 


V-Cat-enriched. 


Our characterization of lax extensions makes it clear that there is a large col- 
lection of Kantorovich liftings that are not induced by lax extensions. For in- 
stance, it follows from Theorem 3.18 that the liftings (—)°: V-Cat > V-Cat and 
(—)s: V-Cat + V-Cat (see Example 3.12) of the identity functor on Set to V-Cat 
are Kantorovich but are not induced by lax extensions. Furthermore, as the 
composite of Kantorovich liftings is Kantorovich, in many situations it is possible 
to compose these functors with other Kantorovich liftings to generate liftings 
that are not induced by lax extensions. 
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4 Behavioural Distance 


One main motivation for lifting functors to metric spaces was to obtain coalgebraic 
notions of behavioural distance [5,38]. Indeed, every functor F: Y-Cat + V-Cat 
gives rise to a notion of distance on a F-coalgebras: 


Definition 4.1. [12] Let (X,a,a) be a coalgebra for a functor F: Y-Cat + V-Cat. 
The behavioural distance bd! (x,y) of x,y € X is 


bda (2, y) = VE), f(y) | f: (X,a,a) + (¥,b, B) € CoAlg(F)}. (4) 


Notice the analogy with the standard notion of behavioural equivalence: Two 
states are behaviourally equivalent if they can be made equal under some coalgebra 
morphism; and according to the above definition, two states in a metric coalgebra 
have low behavioural distance if they can be made to have low distance under 
some coalgebra morphism. 

Kantorovich liftings and lax extensions are key ingredients in mentioned al- 
ternative coalgebraic approaches to behavioural distance on Set-based coalgebras. 
Let F: Set — Set be a functor. A Kantorovich lifting F4: Y-Cat —> V-Cat induces 
a notion of behavioural distance on an F-coalgebra a: X — FX as the greatest 
V-categorical structure (X, a) that makes a a V-functor of type (X, a) > F4(X,a) 
[5,22]. From Theorem 3.9 and [12, Proposition 12] (generalized to V-Cat, with 
the same proof), we obtain that this distance coincides with behavioural distance 
as defined above. On the other hand, every lax extension F: V-Rel — V-Rel of F 
also induces a behavioural distance on an F-coalgebra a: X — FX as the greatest 
simulation on a [32,40,13,38], i.e. the greatest V-relation s: X > X such that 


a-s < Fs- a. It follows by routine calculation that this distance coincides with 
the distance defined via the lifting induced by the lax extension and, hence, 
Theorem 3.13 ensures that, if we start with a collection of monotone predicate 
liftings, then the corresponding Kantorovich extension and Kantorovich lifting 
yield the same notion of behavioural distance. This allows including the approach 
to behavioural distance via lax extensions in the categorical framework for indis- 
tinguishability introduced recently by Komorida et al. [22]. On the other hand, 
there are notions of behavioural distance defined via Kantorovich liftings that do 
not arise via lax extensions. Indeed, it has been shown that the neighbourhood 
functor N: Set — Set does not admit a lax extension to Rel that preserves con- 
verses (F(r°) = (Fr)°) whose (2-valued) notion of behavioural distance coincides 
with behavioural equivalence [27, Theorem 12]. However, from [12, Theorem 34, 
Proposition A.6] (see also [17]), we can conclude that the (2-valued) notion of 
behavioural distance defined by the canonical Kantorovich lifting of N to Equ 
w.r.t. to the predicate lifting induced by the identity natural transformation 
N —> N coincides with behavioural equivalence. (It is easy to see that Marti and 
Venema’s result holds even if one allows lax extensions of N that do not preserve 
converses, and that the situation remains the same in the asymmetric case.) 
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5 Expressivity of Quantitative Coalgebraic Logics 


We proceed to connect the characterization of Kantorovich functors with existing 
expressivity results for quantitative coalgebraic logic, focusing from now on on 
symmetric Y-categories. Therefore, we interpret the V-categorical notions and 
results also with V-Catsym instead of V-Cat and V, instead of V. 

We recall a variant [12] of (quantitative) coalgebraic logic [28,34,7,23,38] that 
follows the paradigm of interpreting modalities via predicate liftings, in this 
case of Y-valued predicates for a Y-Cat-functor (Section 2.3). Let A be a set of 
finitary predicate liftings for a functor F: V-Catsym —> V-Catsym. The syntax of 
quantitative coalgebraic modal logic is then defined by the grammar 


Q = T | d1 V d2| b1A ¢2|u@¢G|homg(u, p) | A(¢1,---,¢n) (wEV, EA) 


where A is a set of modalities of finite arity, which we identify, by abuse of 
notation, with the given set A of predicate liftings. We view all other connectives 
as propositional operators. Let £(A) be the set of modal formulas thus defined. 

The semantics is given by assigning to each formula ¢ € L(A) and each coal- 
gebra a: X — FX the interpretation of ¢ over a, i.e. the V-functor [¢]a: X > V 
recursively defined as follows: 


— for 6 = T, we take [T]. to be the V-functor given by the constant map 
into T; 

— for an n-ary propositional operator p, we put [p(¢1,..-,¢n)]a = 
p(loila,---, lnla), with p interpreted using the lattice structure of V and 
the V-categorical structure hom, of V,, respectively, on the right-hand side; 

— for n-ary A E A, we put [A(¢1,-.--,on)Ja = AU ¢1]la;--- + [Pnla))-&, where 
([o1Ja;--+;[nJa) denotes the Y-functor (X, a) — V” canonically determined by 
lila, reeg lPrla- 


We then obtain a notion of logical distance: 


Definition 5.1. Let A be a set of predicate liftings for a functor F: V-Cat > 
V-Cat. The logical distance ld4 on an F-coalgebra (X, a, œ) is the initial struc- 
ture on X w.r.t. the structured cone of all maps [¢]a: X — |(V,hom,)| with 
@ € L(A). More explicitly, for all z, y € X, 


idä (x,y) = Mhom. (fela (z), [¢]a(y)) | 6 € L(A)}- 


In the remainder of the paper, we establish criteria under which a V-Catsym- 
functor admits a set of predicate liftings for which logical and behavioural 
distances coincide. Recall that a (quantitative) coalgebraic logic is expressive 
if Id < bdf,, for every F-coalgebra (X, a). (It is easy to show that the reverse 
inequality holds universally [12, Theorem 16]). 

Existing expressivity results for quantitative coalgebraic logics for Set-functors 
depend crucially on Kantorovich liftings (e.g. [38,39,22,12]). However, it has been 
shown [12] that the Kantorovich property can be usefully detached from the 
notion of functor lifting. 
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Definition 5.2. Let A be a class of predicate liftings for a functor F: Y-Cat > 
y-Cat. The functor F is A-Kantorovich if for every V-category X, the cone of 
all V-functors A(f): FX > V, with A € A K-ary and f € V-Cat(X, V“), is initial. 
A functor F: Y-Cat > Y-Cat is said to be Kantorovich if it is A-Kantorovich 
for some class A of predicate liftings for F. 


Clearly, every Kantorovich lifting of a Set-functor to V-Cat w.r.t. a class A of 
predicate liftings is A-Kantorovich. Moreover, Theorem 3.9 is easily generalized 
to Kantorovich functors. 


Theorem 5.3. A V-Cat-functor is Kantorovich iff it preserves initial morphisms. 


Theorem 5.4. A V-Catsym-functor is Kantorovich iff it preserves initial mor- 
phisms. 


Example 5.5. 1. The inclusion functor V-Catsym sep  V-Catsym has a left 
adjoint (—)q: V-Catsym —> V-Catsym,sep that quotients every X by its natural 
preorder, which for symmetric X is an equivalence, and gives rise to a Kantorovich 
functor on V-Catsym. 

2. Given a bounded-by-1 pseudometric space (X,d), ie. an object of 
[0, l]@-Catsym ~ BPMet, the Prokhorov distance [30] for probability mea- 
sures on the measurable space of Borel sets of (X, d) is defined by d? (u, v) = 
inf{e > 0 | (A) < v(A‘S) + e for all Borel sets A C X}, where AS = {x € X | 
infye, d(x,y) < e}. It is straightforward to verify that this distance defines a 
BPMet-functor (which acts on morphisms by measuring preimages) that preserves 
isometries and, therefore, it is Kantorovich. 

3. For every V-category (X,a), the functor (X,a) x —: V-Cat => V-Cat 
is Kantorovich. If the underlying lattice of V is Heyting, then under certain 
conditions this functor has a right adjoint [8,9] which is Kantorovich as well. 
Here, for X = (X,a) exponentiable, the right adjoint (—)* of X x — sends 
a Y-category Y = (Y,b) to the V-category Y* = (Y*,c) with underlying set 
{all V-functors (1,k) x (X,a) — (Y,b)} and, for h,k € Y*, 


c(h, k) = | ee b(h(x1), k(aq))*@1-22) , 


where (—)": V + V denotes the right adjoint of uA —: V > V. For a Y-functor 
f: (Yi, b1) > (Y2,b2), the V-functor f*: (Yj*,c1) > (YX ,c2) sends h € YŠ 
to fah: 


To ensure that a Kantorovich functor is represented by finitary predicate liftings, 
we need to impose a size constraint: 


Definition 5.6. A functor F: V-Catsym —> V-Catsym is w-bounded if for every 
symmetric V-category X and every t € FX, there exists a finite subcategory 
Xo C X and t’ € FXo such that t = Fi(t’) where 7 is the inclusion Xp > X. 


Example 5.7. Every lifting of a finitary Set-functor to V-Catsym is w-bounded. 


Proposition 5.8. Let F: V-Catsym —> V-Catsym be a Kantorovich functor. If F 
is w-bounded, then F is Kantorovich w.r.t. a set of finitary predicate liftings. 
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Finally, from [12, Theorem 31] we obtain: 


Corollary 5.9. Let V be a finite quantale, and let F: V-Catsym —> V-Catsym be 
a lifting of a finitary functor that preserves initial morphisms. Then there is a 
set A of predicate liftings for F of finite arity such that the coalgebraic logic L(A) 
is expressive. 


Corollary 5.10. Let F: BPMet — BPMet be a functor that preserves isometries, 
is locally non-expansive, and admits a dense w-bounded subfunctor. Then there 
is a set A of predicate liftings for F of finite arity such that the coalgebraic logic 
L(A) is expressive. 


These instantiate to results on concrete system types, e.g. ones induced 
by (sub)functors listed in Example 5.5, such as probabilistic transition systems 
equipped with a behavioural distance induced by the functor that sends a bounded 
metric space X to the subspace of the space of all probability measures on X 
equipped with the Prokhorov distance (see Example 5.5(2)) determined by the 
closure of the set of finitely supported probability measures. 


6 Conclusions and Future Work 


Quantitative coalgebraic Hennessy-Milner theorems [23,38,12] assume that the 
functor (on metric spaces) describing the system type is Kantorovich, i.e. canon- 
ically induced by a suitable choice of — not necessarily monotone — predicate 
liftings, which then serve as the modalities of a logic that characterizes be- 
havioural distance. We have shown as one of our main results that a functor on 
(quantale-valued) metric spaces is Kantorovich iff it preserves initial morphisms 
(i.e. isometries). As soon as such a functor additionally adheres to the expected 
size and continuity constraints (which replace the condition of finite branching 
found in the classical Hennessy-Milner theorem for labelled transition systems), 
one thus has a logical characterization of behavioural distance in coalgebras for 
the functor, in the sense that behavioural distance equals logical distance. 

In fact we have shown that every functor on metric spaces can be captured 
by a generalized form of predicate liftings where the object of truth values 
may change along the lifting. A simple example is the discretization functor, 
which is characterized by a predicate lifting in which the truth value object for 
the input predicates is equipped with the indiscrete pseudometric, so that the 
lifting accepts all predicates instead of only non-expansive ones. This hints at a 
perspective to design heterogeneous modal logics that characterize behavioural 
distance for such functors, with modalities connecting different types of formulas 
(e.g. non-expansive vs. unrestricted), which we will pursue in future work. One 
application scenario for such a logic are behavioural distances on probabilistic 
systems involving total variation distance, which may be seen as a composite of 
the usual probabilistic Kantorovich functor and the discretization functor. 
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Abstract. Logical frameworks provide natural and direct ways of speci- 
fying and reasoning within deductive systems. The logical framework LF 
and subsequent developments focus on finitary proof systems, making the 
formalization of circular proof systems in such logical frameworks a cum- 
bersome and awkward task. To address this issue, we propose CoLF, a 
conservative extension of LF with higher-order rational terms and mixed 
inductive and coinductive definitions. In this framework, two terms are 
equal if they unfold to the same infinite regular Böhm tree. Both term 
equality and type checking are decidable in CoLF. We illustrate the el- 
egance and expressive power of the framework with several small case 
studies. 


Keywords: Logical Frameworks, Circular Proofs, Regular Böhm Trees 


1 Introduction 


A logical framework provides a uniform way of formalizing and mechanically 
checking derivations for a variety of deductive systems common in the definitions 
of logics and programming languages. In this paper we propose a conservative 
extension of the logical framework LF [18] to support direct representations of 
rational (circular) terms and deductions. 

The main methodology of a logical framework is to establish a bijective cor- 
respondence between derivations of a judgment in the object logic and canonical 
terms of a type in the framework. In this way, proof checking in the object logic 
is reduced to type checking in the framework. One notable feature of LF is the 
use of abstract binding trees, where substitution in the object logic can be en- 
coded as substitution in the framework, leading to elegant encodings. On the 
other hand, encodings of rational terms, circular derivations, and their equality 
relations are rather cumbersome. We therefore propose the logical framework 
CoLF as a conservative extension of LF in which both circular syntactic objects 
and derivations in an object logic can be elegantly represented as higher-order 
rational dependently typed terms. This makes CoLF a uniform framework for 
formalizing proof systems on cyclic structures. We prove the decidability of type 
checking and soundness of equality checking of higher-order rational terms. 


© The Author(s) 2023 
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While CoLF allows formalization of circular derivations, proofs by coinduc- 
tion about such circular encodings can only be represented as relations in CoLF, 
mirroring a similar limitation of LF regarding induction. In future work, we plan 
to extend CoLF to support checking of meta-theoretic properties of encodings 
analogous to the way Twelf [27] can check properties of encodings in LF. 

The main contributions of this paper are: 


— The type theory of a logical framework with higher-order rational terms. 
The theory allows natural and adequate representations of circular objects 
and circular derivations (Section 3). 

— A decidable trace condition for ensuring the validity of circular terms and 
derivations arising from mixed inductive and coinductive definitions (Sec- 
tion 3.3). 

— A sound and complete algorithm to decide the equality of two higher-order 
rational terms (Section 3.5). 

— A proof of decidability of type-checking in the framework (Section 3.7). 

— Case studies of encoding subtyping derivations of recursive types (Section 4). 


An extended version of this paper, available at https://arxiv.org/abs/ 
2210.06663, has an appendix that contains additional materials. We have im- 
plemented CoLF in OCaml and the implementation can be accessed at https: 
//waw.andrew.cmu.edu/user/zhiboc/colf html. An additional case study of 
the meta-encoding the term model of CoLF in CoLF is presented in Appendix J 
of the extended version. 


2 Mixed Inductive and Coinductive Definitions 


We motivate our design through simple examples of natural numbers, conatural 
numbers, and finitely padded streams. The examples serve to illustrate the idea of 
coinductive interpretations, and they do not involve dependent types or higher- 
order terms. More complex examples will be introduced later in the case studies 
(Section 4). 


Natural Numbers. The set of natural numbers is inductively generated by 
zero and successor. In a logical framework such as LF, one would encode natural 
numbers as the signature consisting of the first three lines in the top left part of 
Fig. 1. 

The type theory ensures that canonical terms of the type nat are in one-to- 
one correspondence with the natural numbers. Specifically the infinite stack of 
successors succ (succ (succ ...)) is not a valid term of type nat. Therefore, the 
circular term wi is not a valid term. 


Conatural Numbers. We may naturally specify that a type admits a coin- 
ductive interpretation by introducing a new syntactic kind cotype. The kind 
cotype behaves just like the kind type except that now the terms under cotype 
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nat : type. padding : type. 
zero : nat. pstream : cotype. 
succ : nat -> nat. cocons : nat -> padding -> pstream. 


pad : padding -> padding. 


wi : nat = succ wi. (not valid) ett i pateean, <> padding: 
conat : cotype. 


cozero : conat. s1 


: pstream = cocons (succ zero) 
cosucc : conat -> conat. (pad (pad (next s1))). 

p2 : padding = pad p2. (not valid) 

s3 : pstream = cocons zero (next s3). 
s4 : pstream = cocons zero p5. 


w2 : conat = cosucc w2. 
w3 : conat = cosucc (cosucc w3). 


eq : conat -> conat -> type. po padding Anert Sa: a 
eq/refl : eq N N. p6 : padding = pad p7. (not valid) 
equ2u3 : eq w2 w3 = 6q/refl. p7 : padding = pad p6. (not valid) 


Fig. 1. Signatures and Examples for Section 2 


are allowed to be circular. A slightly adapted signature would encode the set 
of conatural numbers, shown as the first three lines in the bottom left part of 
Fig. 1. 

Because conat is a coinductive type, the canonical forms of type conat in- 
cludes cosucc” cozero for all n and the infinite stack of cosucc, which is in 
one to one correspondence with the set of conatural numbers. Specifically, the 
infinite stack of cosucc, may be represented by the valid circular term w2 as 
in Fig. 1. The equality of terms in CoLF is the equality of the infinite trees 
generated by unfolding the terms, which corresponds to a bisimulation between 
circular terms. For example, an alternative representation of the infinite stack of 
cosucc is the term w3, and CoLF will treat w2 and w3 as equal terms, as shown 
by the last three lines in the bottom left part of Fig. 1. The terms w2 and w3 are 
proved equal by reflexivity. On the other hand, a formulation of conats in LF 
would involve an explicit constructor, e.g. mu : (conat -> conat) -> conat. 
The encoding of equality is now complicated and one needs to work with an 
explicit equality judgment whenever a conat is used. Functions defined by coin- 
duction (e.g., bisimulation in Appendix K of the extended version) need to be 
encoded as relations in CoLF. 


2.1 Finitely Padded Rational Streams 


As an example of mixed inductive and coinductive definition, we consider rational 
streams of natural numbers with finite paddings in between. These streams are 
special instances of left-fair streams [5]. We define streams coinductively and 
define paddings inductively, such that there are infinitely many numbers in the 
stream but only finitely many paddings between numbers, shown in the signature 
consisting of first five lines in the right column of Fig. 1. For example, the term 
si in Fig. 1 represents a stream of natural number 1’s with two paddings in 
between. Because padding is a type, the term p2 is not valid, as it is essentially 
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an infinite stack of pad constructors. Definitions in a CoLF signature can refer 
to each other. Thus, the terms s3 and s4 denote the same padded stream, and 
the terms p6, p7 and p2 denote the same invalid stream consisting of purely 
paddings. 


Priorities. To ensure the adequacy of representation, types of kind cotype admit 
circular terms while types of kind type admit only finitary terms. It is obvious 
that the circular term w1 is not a valid term of type nat due to the presence of an 
infinite stack of inductive constructors, and the circular term w2 is a valid term of 
type conat because it is a stack of coinductive constructors. However, when we 
have both inductive and coinductive types, it is unclear whether a circular term 
(e.g. s1) is valid. Historically, priorities are used to resolve this ambiguity [11]. 
A priority is assigned to each inductive or coinductive type, and constructors 
inherit priorities from their types. Constructors with the highest priority types 
are then viewed as primary. In CoLF, priorities are determined by the order of 
their declarations. Type families declared later have higher priorities than those 
declared earlier. In this way, the type pstream has higher priority than the type 
padding. Constructor cocons inherits the priority of pstream, and the term 
s1 is viewed as an infinite stack of cocons and is thus valid. Similarly, terms 
s3 and s4 are also valid. If we switch the order of declaration of padding and 
pstream (thereby switching their priorities), then terms s1, s3, and s4 are no 
longer valid. 


3 The Type Theory 


We formulate the type theory of CoLF, a dependent type theory with higher- 
order rational terms and decidable type checking. The higher-order rational 
terms correspond to |-free regular Böhm trees [21] and have decidable equality. 


3.1 Higher-Order Rational Terms 


When we consider first order terms (terms without \-binders), the rational terms 
are terms with only finitely many distinct subterms, and thus their equality is 
decidable. We translate this intuition to the higher-order setting. The higher- 
order rational terms are those with finitely many subterms up to renaming of 
free and bound variables. We give several examples of rational and non-rational 
terms using the signatures in Section 2. 


1. The term w2 in Fig. 1 is a first-order rational term. 

2. A stream counting up from zero upo = cocons zero (next (cocons (succ zero) 
(next (...)))) is a first-order term that is not rational. 

3. A stream that repeats its argument R2 = Ax. cocons z (next (Rə x)) is a 
higher-order rational term. 

4. A stream that counts up from a given number up = Az. cocons x (next (up 
(succ x))) is not a rational higher-order term. 
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In the definitions above, bolded symbols on the left of the equality signs 
are called recursion constants. It is crucial that in higher-order rational terms, 
all arguments to recursion constants are bound variables and not other kinds 
of terms. We call this restriction the prepattern restriction as it is similar to 
Miller’s pattern restriction [24] except that we allow repetition of arguments. The 
prepattern restriction marks the key difference between the higher-order rational 
term Rə and the infinitary term up. The term up is not rational because the 
argument to up is succ x, which is not a bound variable. 


3.2 Syntax 


We build subsequent developments on canonical LF [19], a formulation of the 
LF type theory where terms are always in their canonical form. Canonical forms 
do not contain 6-redexes and are fully 7-expanded with respect to their typ- 
ing, supporting bijective correspondences between object logic derivations and 
the terms of the framework. One drawback of this presentation is that canon- 
ical terms are not closed under syntactic substitutions, and the technique of 
hereditary substitution addresses this problem [29]. 

The syntax of the theory follows the grammar shown in Fig. 2. We use the 
standard notion of spines. For example, a term x Mı Mə M3 will be written as 
x + (Mı; M2; M3) where x is the head and M1; M2; M3 is the spine. To express 
rational terms, we add recursive definitions of the form r : A = M to the sig- 
nature, where M must be contractive (judgment M contra) in that the head of 
M must be a constant or a variable. Recursive definitions look like notational 
definitions [26], but their semantics are very different. Recursive definitions are 
interpreted recursively in that the definition M may mention the recursion con- 
stant r, and other recursion constants including those defined later in the sig- 
nature, while notational definitions in LF [26] cannot be recursive. Recursion 
constants are treated specially as a syntactic entity that is different from vari- 
ables or constructors (nonrecursive constants). To ensure the conservativity over 
LF, we further require all definitions in X to be linearly ordered. That is, only 
in the body of a recursive definition can we “forward reference”, and we can only 
forward reference other recursion constants. All other declarations must strictly 
refer to names that have been defined previously. We write A¥ and M to mean a 
sequence of -abstractions and a sequence of terms respectively. We write x,y,z 
for variables, c,d for term constants (also called constructors), a for type family 
constants, and r,r’,r’’ for recursion constants. 

To enforce the prepattern restriction, we use a technical device called prepat- 
tern IT-abstractions, and associated notion of prepattern variables and prepattern 
spines. Prepattern J7-abstractions are written as Mx ? Aj. A,, and x will be a 
prepattern variable (written x ? Ay) in A. Moreover, in Aj, if y is a variable 
of a prepattern type Tw ? A.B, then the prepattern application of y to x will 
be realized as the head y followed by a prepattern spine ([2]), written y - ((2]). 
The semantics is that prepattern variables may only be substituted by other 
prepattern variables, while ordinary variables can be substituted by arbitrary 
terms (which include other prepattern variables). In a well-typed signature, if 
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Signatures Su=-|Lia:K|X,c:A|X,r:A=M 
Contexts Piss | Rei AlTA 
Kinds K ::= type | cotype| Hæ : A. K | x? A. K 


Canonical types A, B ::= P | Ix: A2. Ai | Hx? A2. At 
Atomic types Pe =a: 

Canonical terms M ::= R | Ax. M 

Neutral terms Rz=H -5 

Heads H:=a\el|r 

Spines S:=M;8 | lz]; S] 0 


Fig. 2. The Syntax for CoLF 


r: A= M is a recursion declaration, then A consists of purely prepattern M- 
abstractions (judgment A prepat) and for all r- S in the signature, S consists 
of purely prepattern applications and is thus called a prepattern spine (judg- 
ment S prepat). The prepattern variables are similar to those introduced by the 
V-operator |25], which models the concept of fresh names, but here in a depen- 
dently typed setting, types may depend on prepattern variables. 

In an actual implementation, the usages of prepattern types may impose 
additional burdens on the programmer. As a remedy, the implementation could 
infer which variables are prepattern variables based on whether they appear as 
arguments to recursion constants and propagate such information. 


3.3 Trace Condition 


Ina signature X, we say that a type A is inductive if A = Tx,... Ha, : An.a-S 
and a: ITy,... Mym : Bm. type, and a type A coinductive if A = Hx... MEn : 
An.a:S anda: ITy,... Tym : Bm. cotype. A constructor c is inductive if c: A € 
X and A is inductive, and c is coinductive if c: A € X and A is coinductive. 

The validity of the terms is enforced through a trace condition [17,8] on 
cycles. A trace is a sequence of constructor constants or variables, where each 
constructor or variable is a child of the previous one. A trace from a recursion 
constant r to itself is a sequence starting with the head of the definition of r and 
ending with the parent of an occurrence of r. In Fig. 1, a trace from p2 to itself is 
[pad], and a trace from s1 to itself is [cocons, pad, pad, next]. Traces cross into 
definitions of recursion constants. Thus, a trace from p6 to itself is [pad, pad], 
which is also a trace from p7 to itself. A trace from s4 to itself is [cocons, next], 
and a trace from p5 to itself is [mext, cocons]. If r = Aw.f (rx) (g(r x)) (more 
precisely r = Ax. f - (r - ([æ]); g - (r - ([#])))), then there are two traces from r to 
itself, i.e., [f] and [f, g]. 

A higher-order rational term M is trace-valid if for all recursion constants r 
in M, each trace from r to itself contains a coinductive constructor, and that 
coinductive constructor has the highest priority among all constructors on that 
trace. To ensure trace validity, it is sufficient to check in a recursive definition, all 
occurrences of recursion constants are guarded by some coinductive constructor 
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of the highest priority. The guardedness condition (judgment Fs r x M) means 
that occurrences of r in M are guarded by some coinductive constructor of the 
highest priority, and the condition is decidable. In a well-typed signature X, if 
r:A=MeéS,thenFsrx WM. A detailed algorithm for checking trace-validity 
is presented in Appendix B.2 of the extended version. The reader may check 
guardedness for all valid terms in Fig. 1. 


3.4 Hereditary Substitution 


Hereditary substitution [29,19] provides a method of substituting one canonical 
term into another and still get a canonical term as the output by performing type- 
based normalization. This technique simplifies the definition of the term equality 
in the original LF [18,20] by separating the term equality and normalization from 
type checking. We extend the definition of hereditary substitution to account 
for recursion constants. Hereditary substitution is a partial operation on terms. 
When input term is not well-typed or prepattern restriction is not respected, the 
output may be undefined. 

Hereditary substitution takes as an extra argument the simple type of the 
term being substituted by. The simple type 7 is inductively generated by the 
following grammar. 

T= *|T, > Te 


We write A?’ for the simple type that results from erasing dependencies in 
A. We write [N/x]" M for hereditarily substituting N for free ordinary variable 
x in M. The definition proceeds by induction on 7 and the structure of M. For 
prepattern variables, since they may only stand for other prepattern variables, 
we use a notion of renaming substitution. The renaming substitution [y/2]M 
renames a prepattern variable or an ordinary variable x to prepattern variable y 
in M. Both substitutions naturally extend to other syntactic kinds. Hereditary 
substitution relies on renaming substitution when reducing prepattern applica- 
tions. Because of the prepattern restriction, recursion constants are only applied 
to prepattern variables in a well-formed signature, and we never substitute into 
a recursive definition. Let ø be a simultaneous renaming substitution, a notion 
generalized from renaming substitutions, we write |o] M for carrying out sub- 
stitution o on M. 

The definition for hereditary substitution is shown in Fig. 3. Appendix A of 
the extended version contains other straightforward cases of the definition. We 
note that prepattern I7-types erase to a base type * because we may only apply 
terms of prepattern -types to prepattern variables, and thus the structure of 
the argument term does not matter. 


3.5 Term Equality 


The equality checking of circular terms is carried out by iteratively unfolding 
recursive definitions [1,6,14,23]. The algorithm here is a slight adaptation of the 
equality algorithm for regular Böhm trees by Huet [21], tailored to the specific 
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Ao =T N/az]’ (e- S) = c- ([N/a]’S) 

Mx : Az. A1)? = (43) > (42) N/a] (r - S) = r - ([N/a]7 S) 

ITx Ag A1)° = x > (A?) [N/z]"S = S 

a N/a 0=0 

[N/a]’M = M' N/x\’(M; S) = ({N/2]7 M); ((N/z]7S) 
N/z|’R=[N/a]'R N/a)" ([x]; 5S) = undefined 

N/a)" (Ay-M) = Ay.[N/2]"M, y # z N/a)" ([z]; 9) = [2]; ([N/z]"S), £ # z 
[N/2]’ R = R' Sò N=R 

Nja (@- S) = ([N/x] S) >" N )D*R=R 

N/a]" (y+ S) = y - ([N/a]’S), y # £ (N; S)? (Az.M) = S>™ ([N/x] M) 


(yl; S) b° 7" (Ax.M) = S>™ (fy/z]M) 


Fig. 3. Hereditary Substitutions 


case of CoLF’s canonical term syntax. We emphasize that the equality algorithm 
can treat terms that are not trace-valid or well-typed, and is thus decoupled 
from validity checking and type checking. The algorithm itself checks for the 
prepattern restriction on recursion constants and contractiveness condition on 
recursive definitions. These checks are essential to ensure termination in the 
presence of forward referencing inside recursive definitions. 

We define the judgment A;O Fs M = M’ to mean M and M’, with free 
variables from ©, are equal under the assumptions A, with consideration of 
recursive definitions in X. The variable list © is similar to I" except it doesn’t 
have the types for the variables. It is merely a list of pairwise distinct variables. 
Similarly, we define the judgment 4; O Fy S = S’ to mean spines S and S’ are 
element-wise equal. Equalities in A will be of the form (O F M = M’) where O 
holds free variables of M and M’. We write 9+ M to mean that FV(M) C ©. 
We define simultaneous variable renaming, that ø is a variable renaming from O’ 
to O, written OF o : O’ to mean that if O’ F M, then OF [o]M. For instance, 
if we have xt [æ/y,x/z] : y,z and y,z F y- [z], then z H [a/y,2/z](y- [z]), i.e., 
xF z- [a]. The rules for the judgments are presented in Fig. 4. Recall that M is 
contractive (M contra) if the head of M is not a recursion constant. 


An Example. Assume the signature in Section 2.1, and consider a stream 
generator that repeats its arguments. The stream may be represented by terms 
ri and r2 below. Note that in the concrete syntax, square brackets represent 
A-abstractions. 


ri: nat -> pstream = [x] cocons x (next (r1 x)). 
r2 : nat -> pstream = [x] cocons x (next (cocons x (next (r2 x)))). 


Because r1 is a recursion constant, its type is a prepattern-/7 type, and this 
restriction is respected in the body as x is a prepattern variable. 

We want to show that r1 and r2 are equal in the framework. Let X be the 
signature of Section 2.1 plus the definitions for r1 and r2. We illustrate the 
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A;@ ty M=M' 


OFo: 0 


A, (0' F H- Sı = H’-S2);O Fs [o](H- S1) = [o](H’ S2) (1) 


r:A=Mes 
Si prepat M contra A, (OF r-S;=H-S2);OFs Sy pt’ M=H. S2 


oe = (2) 
A;O sr- -S& =H. So 


r:A=MEX S2 prepat 
M contra HÆr AOPE Berane M 
A OFs H-Si=r- So 


4:0OFs S=S" A;O@Fy S= S 4:0,xzFs M = M' 


; = z (4) ; = 7 (5) ; = z (6) 
A;@Fysc:-S=c:-S A:Ofsy-S=y-S A; Oy àr. M = àz. M 
A;O@ Fy S=S' 

A;@ky M=M’ A;@fy S=S' A;@fy S=S' 
AOs JQ =(0 4&0Fs M;S = M’';S' A; Oty [a]; S = [a]; S 


Fig. 4. Equality Checking 


process of checking that ;F s Aw. r1- ([x]) = Ax. r2-([x]) as a search procedure 
for a derivation of this judgment, where initially both A and O are empty. 

Immediately after rule (6) we encounter ; x Fy r1-([x]) = r2-([z]), we mem- 
oize this equality by storing (x H r1-([#]) = r2-([z])) in A as in rule (2), and 
unfold the left-hand side. Then we proceed with the judgment. 


(a r1-([a]) = r2-([x])); a” Fy cocons -(x;next -(r1 -([x]))) = r2-([2]) 


We then use rule (3) to unfold the right-hand side and store then current equation 
in the context. Then after several structural rules, we have 


(xF r1-([a]) = r2 -([x])),...;x Fy ri -([z]) = cocons -(#; next -(r2-({2]))) 


At this point, rule (2) applies. We add the current equation to the context 
and unfold the left recursive definition. Then after several structural rules, we 
encounter the following judgment. 


(xF r1-([a]) = 1r2-([z])),...;@ Fy r1-([z]) = r2-([2]) 


Now we can close the derivation with rule (1) using identity substitution. 


Decidability. Huet [21] has proved the termination, soundness, and complete- 
ness in the case of untyped regular Böhm trees. Our proof shares the essential 
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idea with their proof. The termination relies on the fact that terms only admit 
finitely many subterms modulo renaming of both free and bound variables, and 
only subterms will appear in A. The soundness and completeness are proved 
with respect to the infinite Böhm tree [4] generated by unfolding the terms 
indefinitely, which again corresponds to a bisimulation between terms. 


Theorem 1 (Decidability of Term Equality). It is decidable whether A; O Fy 
M = M' for any rational term M and M". 


Proof. We first show that there is a limit on the number of equations in A. Then 
the termination follows the lexicographic order of the assumption capacity (dif- 
ference between current number of assumptions in A and the maximum), and 
the structure of the terms under comparison. It is obvious that rules (4)(5)(6) de- 
compose the structure of the terms and rules (2)(3) reduce assumption capacity. 
It remains to show that the size of A has a limit. 

The prepattern conditions on rules (2)(3) ensure that the expansion of recur- 
sive definitions will only involve renaming substitutions, and thus the resulting 
term will be an a-renaming of the underlying definition. No structurally new 
terms will be produced as a result of renaming substitution in rules (2)(3). We 
construct a finite set of all possible terms that could be added to the context. 
Each term is of finite depth and breadth limited by the existing constructs in 
the signature, and consists of finitely many constants, variables, and recursion 
constants. The constants and recursion constants are limited to those already 
presented in the signature. Although there are infinitely many variables, there 
are finitely many terms of bounded depth and width that are distinct modulo re- 
naming of both bound and free variables. Thus, the set of terms that can appear 
as an element of A is finite, modulo renaming of free variables. The estimate of 
a rough upper bound can be found in Appendix D of the extended version. 


We specify the infinite unfolding by specifying its unfolding to a Bohm tree of 
depth k, which is a finite approximation to the infinite Bohm tree, for each k € N. 
Then the infinite Böhm tree is limit of all its finite approximations. We use the 
judgment exp;,)(M) =x) M’ to denote the expansion of a higher-order rational 
term M to a Bohm tree M’ of depth k, and use the judgment exp( N) = N’ 
to express that the higher-order rational term M expands to infinite Bohm tree 
N’. We also enrich the syntax of Böhm trees with prepattern variables. The full 
set of expansion rules can be found in Appendix E of the extended version. All 
cases are structural except for the following case when we expand a recursion 
constant, where we look up the definition of the recursion constant and plug in 
the arguments. 


exprga) (r S) =(e41) XP+) (S >^ M) ifr: A= M E€ X and S prepat 


Lemma 1 (Expansion Commutes with Hereditary Substitution). For 
all k, T, M and N, expop) ([N/x] M) =x) lexpo)(N)/2]7 (exp) (M)) if defined. 


Proof. Directly by lexicographic induction on k and the structure of M. 
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Theorem 2 (Soundness of Term Equality). 
If; O} M = M', then exp) (M) =x) xP) (M) for all k. 


Proof. By lexicographic induction on the depth k and the derivation 4; O F M = 
M'. The case for the rule (1) is immediate by applying renaming substitutions at 
the closure rule. The cases for rules (2)(3) follow from the commutation lemma. 
The cases for rules (4)(5)(6) follow from the definition of exp. 


Theorem 3 (Completeness of Term Equality). 
For rational terms M and M', with free variables from O, if exp(M) = 
exp(M'), then-;O- M = M'. 


Proof. The equality algorithm is syntax-directed. We construct the derivation 
of -;O© H M = M' by syntax-directed proof search following the structure of M. 
Every trace of exp(M) and exp( M’) corresponds to a trace in the derivation of 
Ot M = M'. If exp(M) = exp( M’), then two terms are equal on every trace, 
and there will be exactly one rule that applies at every point in the construction 
of the equality derivation. Termination is assured by Theorem 1. 


3.6 Type Checking Rules 


For type checking, we define the judgments in Fig. 5 by simultaneous induction. 
Because recursion constants may be forward referenced, we need to have access 
to later declarations that have not been checked during the checking of earlier 
declarations. In order to ensure the otherwise linear order of the declarations, the 
type checking judgments are parametrized by a pair of signatures =; X, where = 
is the local signature that contains type-checked declarations before the current 
declaration and X is the global signature that contains full signatures, including 
declarations that have not been checked. In particular, recursion constants avail- 
able for forward-referencing will be in X but not =. The type equality judgments 
Its Ay = A2, I Fs Pi = P only need to read recursive definitions from the 
global signature, and do not need to access the local signature. 

A selection of type checking rules that are essential are presented in Fig. 6. 
The rest of the rules can be found in Appendix F of the extended version. 
To ensure the correct type checking order, i.e., the body of a recursive defini- 
tion is checked after the types of all recursion constants within are checked, 
we defer checking the body of all recursive definitions to the end. This ap- 
proach is viable because the term equality algorithm soundly terminates even 
when the recursive definition is not well-typed. For instance, if the signature 
X = & : Ay,co : Aor, : Ag = My,c3 : A4,r2 : As = Mo, then the order 
of checking is A1, A2, A3, A4, A5, Mı, Mə. This order is expressed in the type 
checking rules by an annotation on specific premise of the rules. The annota- 
tion [-s.5 M = A]4eered means that this judgment is to be checked after all 
the typing judgments have been checked. That is, when we check this premise, 
we have checked that Fy X sig. Because of the deferred checking of recursive 
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X sig Signature X is type correct categorically 

Fy £ sig Local signature = is type correct with global signature X 
Has I ctx Context I" is well-formed 

I Fz;s K < kind Kind K is a valid kind 

I Fz,y A < (co)type Type A is a canonical type 

Pres PSK Atomic type P synthesizes kind K 

['bs,5 So K => K’ Spine S applied to kind K produces kind K’ 
TkesM<=A Term M checks against type A 

Cres kR>P Neutral term R synthesizes type P 

Tbe. So A= P Spine S applied to canonical type A produces atomic type P 
[Fs Ai = Ag Types Ai and A2 are equal canonical types 

TFs P = Po Types P, and P> are equal atomic types 


Fig. 5. Type Checking Judgments 


definitions, the judgment Fs = sig does not require the body of recursion decla- 
rations in = to be well-typed. However, the categorical judgment X sig requires 
the body of every recursion declaration to be well-typed. 

To enforce the restriction that forward references only happen in a recursive 
definition, the annotation [or r : A = M e X]*4finitions means that forward refer- 
ence only occurs during the checking of recursive definitions (which are deferred) 
and nowhere else. 


3.7 Metatheorems 
We state some properties about hereditary substitution and type checking. 


Theorem 4 (Hereditary Substitution Respects Typing). 
Given a checked signature X where X sig, if T Fz; N = A and I,x: 
A,T'} M <B, then T,[N/2]“°I" te.5 [N/2]4° M < [N/a]4°B. 


Proof. By induction on the second derivation, with similar theorems for other 
judgment forms. This proof is similar to those in [29,19]. Because of the prepat- 
tern restriction, hereditary substitutions do not occur inside recursive definitions 
and is thus similar to hereditary substitutions in LF. 


Theorem 5 (Decidability of Type Checking). 
All typing judgments are algorithmically decidable. 


Proof. The type checking judgment is syntax directed. Hereditary substitutions 
are defined by induction on the erased simple types and always terminate. Equal- 
ity of types ultimately reduces to equality of terms, and we have proved its 
termination in Section 3.5. 
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= hss Se K => K' 

= IFz )>K >K 

X sig 
=r T Fs; M < Ao [M/2]42° K = K’ 
Fy & sig Phen SDK $K" 
Tre.» M: Tin: Ao. K K” 
Fs Zsig bs,» K <& kind z;x M; 8 > Ix: A2. K => 

rs: sig Fy Z,a: K sig 


Lys & sig Fs A < (co)type 
Fs &,c:Asig 


Fy £ sig Fs:x A < (co)type 
Hs; Me Feil 
A prepat M contra FsrxM 


Fs &,r: A= M sig 


I Fz;s K & kind 


I Fz;s type = kind 


I’ Fz,» cotype < kind 


I bz,5 A < (co)type 
Te? Abas K «kind 
Tbs.» Ia’? A.K < kind 


I Fz;5 A < (co)type 


I'Fz,5 A2 < (co)type 
T, x °? Ao Fz;5 Ai = (co)type 
Ibs,» Hx"? Ag. Ai = (co)type 


Tres P> K K = type / cotype 


I Fz,5 P < (co)type 


Tres P> K 


a:KEE Theses S> K> K' 


y AEI IT Hz,5 Ab = Ao 
[y/e]K=K’ Ths. SpK'= kK" 
I Fsm ly]; S > Hz’? Ao. K > K” 


I Fs M&A 


Ths. R> P Tks P =P 
rl Fas R&P 


T, x ° Ag Fe.5 M<A, 
T Fas Aw. M <= Ir ? A2. At 


Cras R> P 


(c/x: Acr orz? AET) 
rF Fzs SeA>P 
I Fsz;s cec/z: 8 => P 


r:A=Mez 
forr:A=Me Sener 
Tres SpoA>P 
Prasr-S=>P 


Tres: SA>> P 


T Fas Q)>P >P 


IHs; M<4&A: [M/x]42° A = Ai 
The,» S> A> P 
Phas M; S> IIx: A2. Ai > P 


[u/s] A =A, bso SoA =P 


rHzsa S> K' 


Tres ly]; S > Ia? Ao. Ai => P&P 


Fig. 6. Type Checking Rules (Condensed Selection) 
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4 Encoding Subtyping Systems for Recursive Types 


In the presentation of case studies, we use the concrete syntax of our implemen- 
tation, following Twelf [27]. The prepattern annotations are omitted. The full 
convention can be found in Appendix G of the extended version. Representations 
of circular derivations involve dependent usages of cotype’s. 


4.1 Encoding a Classical Subtyping System 


We present a mixed inductive and coinductive definition of subtyping using 
Danielsson and Altenkirch’s [14] subtyping system. The systems concern the 
subtyping of types given by the following grammar. 


T= L |T |r = T | uX. — m | X 


The subtyping judgment is defined by five axioms and two rules, The axioms are 


1. L <r (bot) 

2. T < T(top) 

3. UX .Ti > T2 < [wX.7, > T2/X| (Tı —> T2) (unfold) 
4. [X.T > T2/X|(T1 > T2) < HX .Tı > T2 (fold) 
5. T <T (refl) 


And the rules are shown below, where arr is coinductive and is written using a 
double horizontal line, and trans is inductive. The validity condition of mixed 
induction and coinduction entails that a derivation consisting purely of trans 
rules is not valid. 


120 02 < T2 TST T2 S73 
(arr) (trans) 
01 > 09 <T1 > T2 Ti S73 


Danielsson and Altenkirch defined the rules using Agda’s mixed inductive 
and coinductive datatype (shown in Appendix H of the extended version) and 
the encoding in CoLF is shown in Fig. 7. The curly brackets indicate explicit 
IT-abstractions and the free capitalized variables are implicit [7-abstracted. We 
note that the mixed inductive and coinductive nature of the subtyping rules 
reflected in CoLF as two predicates, the inductive subtp and the coinductive 
subtpinf, and the latter has a higher priority. Clauses defining one predicate 
refer to the other predicate as a premise, e.g. subtp/arr and inf/arr. Let "—' 
denote the encoding relation, and we have " uX.o => T! = mu" X.o " X.7 1. 


Theorem 6 (Adequacy of Encoding). 


1. There is a compositional bijection between recursive types and valid canonical 
terms of type tp 
2. For types o and T, there is a compositional bijection between valid cyclic sub- 


typing derivations ofo < T, and valid canonical terms of type subtp ‘a '"T 1. 
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tp : type. subtp : tp -> tp -> type. 
bot : tp. subtpinf : tp -> tp -> cotype. 
top : tp. subtp/top : subtp T top. 
arr : tp -> tp -> tp. subtp/bot : subtp bot T. 


mu : (tp -> tp) -> (tp -> tp) -> tp. refl : subtp T T. 

trans : subtp T1 T2 -> subtp T2 T3 -> subtp T1 T3. 

subtp/arr : subtpinf T1 T2 -> subtp T1 T2. 

unfold : {T1}HT2} subtp (mu T1 T2) (arr (T1 (mu T1 T2)) (T2 (mu Ti T2))). 
fold : {T1}{T2} subtp (arr (T1 (mu Ti T2)) (T2 (mu T1 T2))) (mu T1 T2). 
inf/arr : subtp T1 S1 -> subtp S2 T2 -> subtpinf (arr S1 S2) (arr T1 T2). 


Fig. 7. An Encoding of Subtyping in CoLF 


Proof. 1. Directly by induction on the structure of recursive types in the for- 
ward direction, and by induction on the structure of the typing derivation 
in the reverse direction. 

2. By induction on the syntax of the circular derivations in the forward direc- 
tion, and by induction on the syntax of the higher-order rational terms in the 
reverse direction. Note that cycles in the circular derivations correspond di- 
rectly to occurrences of recursion constants. The validity condition of mixed 
induction and coinduction coincides with CoLF validity. 


We give an example of the subtyping derivation of X.X > X < uX.(X > 
L)—>T. Let S = uX.X —> X and T = uX.(X > 1) > T. 


(s_sub_t) L 
S<T IZS 
T155 ` EIE 7 
Tol<S S<T 
S620 Sl 1 "maijar Tr 
Sz5 5 unfold g- gT trans 


t 
(s_sub_t)S<T G 


Here is the encoding in CoLF: 


s : tp = m ([x] x) ([x] x). 
t : tp = mu ([x] arr x bot) ([x] top). 
s_sub_t : subtp s t = 
trans (unfold ([x] x) ([x] x)) (trans (subtp/arr (inf/arr 
(trans (subtp/arr (inf/arr s_sub_t subtp/bot)) 
(fold ([x] x) ([x] x))) subtp/top)) 
(fold ([x] arr x bot) ([x] top))). 


We note that the circular definition is valid by the presence of the constructor 
inf/arr along the trace from s_sub_t to itself. The presence of the coinductive 
arr rule is the validity condition of mixed inductive and coinductive definitions. 

There are two key differences between a CoLF encoding and an Agda en- 
coding. First, in Agda one needs to use explicit names for -bound variables or 
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de Bruijn indices, while in CoLF one uses abstract binding trees. Second, Agda 
does not have built-in coinductive equality but CoLF has built-in equality. In 
Agda, the one step of unfolding s_sub_t is not equal to s_sub_t, but in CoLF, 
they are equal. 


4.2 Encoding a Polarized Circular Subtyping System for 
Equirecursive Types 


We present an encoding of a variant Lakhani et al.’s polarized subtyping system 
[22] into CoLF. The system is circular. Due to space constraints, we only present 
the encoding for the positive types fragment and their emptiness derivations. 
This is an important part in the subtyping system because an empty type is a 
subtype of any other type. The full encoding of the polarized subtyping system 
can be found in Appendix I of the extended version. 


Encoding of Positive Equirecursive Types. The equirecursive nature is 
captured by a signature X providing recursive definitions for type names t*. 


Tot: 


tt @t{ |1l|tp ett lo 
5 s= aot 


Equirecursive types are directly encoded as recursion constants in the system, 
and the framework automatically provides equirecursive type equality checking. 
Because equirecursive types are circular, positive types are encoded as cotype. 


postp : cotype. one : postp. 
plus : postp -> postp -> postp. 
times : postp -> postp -> postp. zero : postp. 


Theorem 7 (Adequacy of Type Encoding). There is a bijection between 
circular types defined in an object signature for the positive types fragment and 
canonical forms of the postp in CoLF. 


Proof. By induction on the syntax in both directions. 


Encoding of the Emptiness Judgment. The emptiness judgment t empty is 
defined by the following rules. We stress that these rules are to be interpreted 
coinductively. 


t= pt EX tı empty t2 empty 


(0 EMP) 
0 empty t empty 


(@ EMP) 


t=, 8t EX tı empt t=, 88t EX tə empt 
1 2 1 PY (@ EMP) 1 2 2 empty 
tempty tempty 


(8 EMP3) 
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In CoLF, the rules are encoded as follows. The coinductive nature is reflected 
by the typing of empty : postp -> cotype, which postulates that the predicate 
empty is to be interpreted coinductively. 


empty : postp -> cotype. 

zero_emp : empty zero. 

plus_emp : empty T1 -> empty T2 -> empty (plus T1 T2). 
times_emp_1 : empty T1 -> empty (times T1 T2). 
times_emp_2 : empty T2 -> empty (times T1 T2). 


Theorem 8 (Adequacy of Encoding). There is a bijection between the cir- 
cular derivations of tempty and the canonical forms of the type empty't |. 


Proof. By induction on the syntax of the circular derivation in both directions. 


As an example, we may show that the type t, where t = 1 ®t, is empty by 
the following circular derivation. 


(t_ empty) ¢ empty 


EMP 
(t_empty) 1 @tempty : 


This derivation can be encoded as follows. 


t : postp = times one t. 
t_empty : empty t = times_emp_2 t_empty. 


The reader is advised to take a look at Appendix I.3 of the extended version 
for two simple yet elegant examples of subtyping derivations. 


5 Related Work 


Cyclic -Calculus and Circular Terms. Ariola and Blom [2], and Ariola and Klop 
[3] studied the confluence property of reduction of cyclic A-calculus. Their cal- 
culus differs from CoLF in several aspects. Their calculus is designed to capture 
reasoning principles of recursive functions and thus has a general recursive let 
structure that can be attached to terms at any levels. Terms are equated up 
to infinite Lévy-Longo trees (with decidable equality), but equality as Bohm 
trees is not decidable. CoLF is designed for circular terms and circular deriva- 
tions, and all recursive definitions occur at the top level. Terms are equated up 
to infinite Böhm trees and the equality is decidable. Our equality algorithm is 
adapted from Huet’algorithm for the regular Böhm trees [21]. Equality on first- 
order terms has been studied both in its own respect [16] and in the context of 
subtyping for recursive types [1,6,14,23]. Our algorithm when applied to first- 
order terms is “the same”. Courcelle [13] and Djelloul et al. [15] have studied 
the properties of first-order circular terms. Simon [28] designed a coinductive 
logic programming language based on the first-order circular terms. Contrary 
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to CoLF, there are no mutual dependencies between inductive and coinductive 
predicates in Simon’s language. 

Logical Frameworks. Harper et al. [18] designed the logical framework LF, 
which this work extends upon. Pfenning et al. later adds notational definitions 
[26]. The method of hereditary substitution was developed as part of the research 
on linear and concurrent logical frameworks [9,29,10]. Harper and Licata demon- 
strated the method in formalizing the metatheory of simply typed A-calculus [19]. 
In his master’s thesis, Chen has investigated a mixed inductive and coinductive 
logical framework with an infinite stack of priorities but only in the context of 
a first-order type theory [12]. 

Mixed Induction and Coinduction and Circular Proof Systems. The equality 
and subtyping systems of recursive types [1,6,14,23,22] have traditionally recog- 
nized coinduction and more recently mixed induction and coinduction as an un- 
derlying framework. Fortier and Santocanale [17] devised a circular proof system 
for propositional linear sequent calculus with mixed inductive and coinductive 
predicates. This system together with Charatonik et al.’s Horn p-calculus [11] 
motivated the validity condition of CoLF. Brotherston and Simpson devised an 
infinitary and a circular proof system as methods of carrying out induction [7,8]. 
Due to the complexity of their validity condition, the encoding of Brotherston 
and Simpson’s system in full generality and Fortier and Santocanale’s system is 
currently not immediate and is considered in ongoing work. 


6 Conclusion 


We have presented the type theory of a novel logical framework with higher-order 
rational terms, that admit coinductive and mixed inductive and coinductive 
interpretations. We have proposed the prepattern variables and prepattern H- 
types to give a type-theoretic formulation of regular Böhm trees. Circular objects 
and derivations are represented as higher-order rational terms, as demonstrated 
in the case study of the subtyping deductive systems for recursive types. 

We once again highlight the methodology of logical frameworks and what 
CoLF accomplishes. Logical frameworks internalize equalities that are present 
in the term model for an object logic. LF [18] internalizes @Bn-equivalence of the 
dependently typed A-calculus. Within LF, one is not able to write a specifica- 
tion that distinguishes two terms that are a or 6-equivalent, because those two 
corresponding derivations are identical in the object logic. Similarly, the concur- 
rent logical framework CLF [29] internalizes equalities of concurrent processes 
that only differ in the order of independent events. The logical framework CoLF 
internalizes the equality of circular derivations. Using CoLF, one cannot write 
a specification that distinguishes between two different finitary representations 
of the same circular proof. It is this property that makes CoLF a more suitable 
framework for encoding circular derivations than existing finitary frameworks. 
Acknowledgments. We would like to thank Robert Harper and Brigitte Pien- 
tka for insightful discussion on the research presented here and the anonymous 
reviewers for their helpful comments and suggestions. 
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Abstract. Much work has been done to give semantics to probabilistic 
programming languages. In recent years, most of the semantics used 
to reason about probabilistic programs fall in two categories: semantics 
based on Markov kernels and semantics based on linear operators. 
Both styles of semantics have found numerous applications in reasoning 
about probabilistic programs, but they each have their strengths and 
weaknesses. Though it is believed that there is a connection between 
them there are no languages that can handle both styles of programming. 
In this work we address these questions by defining a two-level calculus 
and its categorical semantics which makes it possible to program with 
both kinds of semantics. From the logical side of things we see this lan- 
guage as an alternative resource interpretation of linear logic, where the 
resource being kept track of is sampling instead of variable use. 


Keywords: Linear Logic, Probabilistic Programming, Categorical Semantics. 


1 Introduction 


Probabilistic primitives have been a standard feature of programming languages 
since the 70s. At first, randomness was mostly used to program so called random 
algorithms, i.e. algorithms that require access to a source of randomness. Re- 
cently, however, with the rise of computational statistics and machine learning, 
randomness is also used to program statistical models and inference algorithms. 

Programming languages researchers have seen this rise in interest as an op- 
portunity to further study the interaction of probability and programming lan- 
guages, establishing it as an active subfield within the PL community. 

One of the main goals of this subfield is giving semantics to programming lan- 
guages that are both expressive in the regular PL sense as well as in its abilities 
to program with randomness. One particular difficulty is that the mathematical 
machinery used for probability theory, i.e. measure theory, does not interact well 
with higher-order functions [2]. 

Currently, there are two classes of models of probabilistic programming — 
in its broad sense — that have found numerous applications: models based on 
linear logic and models based on Markov kernels. Since each kind of semantics 
has peculiarities that make them more or less adequate to give semantics to 
expressive programming languages, it is an important theoretical question to 
understand how these classes of models are related. 


© The Author(s) 2023 
O. Kupferman and P. Sobocinski (Eds.): FoSSaCS 2023, LNCS 13992, pp. 89-112, 2023. 
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Linear Logic for Probabilistic Semantics The models of linear logic that 
have been used to give semantics to probabilistic languages are usually based on 
categories of vector spaces where programs are denoted by linear operators. We 
highlight two of them: 


— Ehrhard et. al [11,10,9] have defined models of linear logic with probabilistic 
primitives and have used the translation of intuitionistic logic into linear logic 
A > B =!A — B, where !A is the exponential modality, to give semantics 
to a stochastic A-calculus. 

— Dahlqvist and Kozen [8] have defined an imperative, higher-order, linear 
probabilistic language and added a type constructor ! to accommodate non- 
linear programs. 


The main advantage of models based on linear logic is that programs are 
denoted by linear operators between spaces of distributions, a formalism that 
has been extensively used to reason about stochastic processes, as illustrated 
by Dahlqvist and Kozen who have used results from ergodic theory to reason 
about a Gibbs sampling algorithm written in their language, and by Clerc et al. 
who have shown how Bayesian inference can be given semantics using adjoint of 
linear operators [7]. 

Unfortunately, these insights are hard to realize in practice, since languages 
based on linear logic enforce that variables must be used exactly once, making it 
hard to use it as a programming language. The usual way linear logic deals with 
this limitation is through the ! modality which allows variables to be reused. 

The problem with the exponential modality, when it comes to probabilistic 
programming, is that they are usually difficult to construct, do not have any clear 
interpretation in terms of probability, making the linear operator formalism not 
applicable anymore and, more operationally, through its connections with call- 
by-name (CBN) semantics [18], makes it mathematically hard to reuse sampled 
values. 

Ehrhard et al. have found a way around this problem by introducing a call- 
by-value (CBV) let operator that allows samples to be reused [11,24]. In the 
discrete case this operator is elegantly defined by a categorical argument which 
is unknown to scale to the continuous case, which they deal with by making use 
of an ad-hoc construction that is unclear if it can be generalized to other models 
of linear logic. Therefore, our current understanding of models of linear logic 
does not provide a uniform way of reusing samples. 

The difference between CBV and CBN can be illustrated by the program 
let x = coin in x + 2, where coin is a primitive that outputs 0 or 1 with equal 
probability. In the CBN semantics each use of x corresponds to a new sample 
from coin, whereas in the CBV semantics the coin is only sampled once. 

A subtler problem of probabilistic models based on linear logic is that they 
are ill-equipped to program with joint distributions. For instance, the language 
proposed by Ehrhard et. al can be easily extended with product types which, 
under their semantics, would make the type R x R be interpreted as MR x MR, 
where MR is the set of distributions over R — which is isomorphic to the set of 
independent distributions over R?. Dahlqvist and Kozen deal with this issue by 
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adding primitive types R” to their language which are interpreted as the set of 
joint distributions over R”. However, since they are not defined using the type 
constructors provided by the semantic domain, programs of type R” can only be 
manipulated by primitives defined outside the language. 


Markov Kernel Semantics Markov kernels are a generalization of transition 
matrices, i.e. functions that map states to probability distributions over them. 
They are appealing from a programming languages perspective because their 
programming model is usually captured by monads and Kleisli arrows, a common 
abstraction in programming languages semantics, and have been extensively used 
to reason about probabilistic programs [1,22,3]. By being related to monadic 
programming they differ from their linear operator counterpart by being able 
to naturally capture a call-by-value semantics which, as we argued above, is the 
most natural one for probabilistic programming. 

Unfortunately, even though these semantics can be generalized to contin- 
uous distributions, they are notoriously brittle when it comes to higher-order 
programming. Only recently, with the introduction of quasi Borel spaces [15] 
and its probability monad, it is possible to give a kernel-centric semantics to 
higher-order probabilistic programming with continuous distributions. 

However, due to quasi Borel spaces being a different foundation to proba- 
bility theory, it is unclear which theorems and theories can be generalized to 
higher-order. For instance, martingale theory has been used in Computer Sci- 
ence to reason about termination of probabilistic programs [6,20,16]. In order to 
generalize these ideas to higher-order functions it would be necessary to define 
a quasi Borel version of martingales and prove appropriate versions of the main 
theorems from martingale theory, a non-trivial task. 


Our Work: Combining both Kinds of Semantics Though both styles 
of semantics provide insights into how to interpret probabilistic programming 
languages (PPL), it is still too early to claim that we have a “correct” semantics 
which subsumes all of the existing ones. Both approaches mentioned above have 
their advantages and drawbacks. 

In this work we shed some light into how both semantics relate to one another 
by showing that it is possible to use both styles of semantics to interpret a linear 
calculus that has higher-order functions, looser linearity restrictions, a uniform 
way of dealing with sample reuse and better syntax for programming joint dis- 
tributions while still being close to their kernel and linear operator counterparts. 
Interestingly, we identify the joint distribution problem described above to be 
a consequence of linear logic requiring the non-linear product to be cartesian. 
In order to tackle this problem we build on categorical semantics of linear logic 
and on recent work on Markov categories, a suitable categorical generalization 
of Markov kernels defined using semicartesian products. 

We bridge the gap between these semantics by noting that the regular re- 
source interpretation of linear logic, i.e. A — B being equivalent to “by using one 
copy of A I get one copy of B” is too restrictive an interpretation for probabilistic 
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programming. Instead, we should think of usage as being equivalent to sampling. 
Therefore the linear arrow A —o B should be thought of as “by sampling from A 
once I get B”, which is the computational interpretation of Markov kernels. 

We realize this interpretation through a multilanguage approach: we have one 
language that programs Markov kernels, a second language that programs linear 
operators and add syntax that transports programs from the former language 
into the latter one. To justify the viability of our categorical framework we show 
how existing probabilistic semantics are models to our language and show how, 
under mild conditions, this semantics can be generalized to commutative effects. 

Our contributions are: 


e We define a multi-language syntax that can program both Markov kernels 
as well as linear operators.(§3) 

e We define its categorical semantics and prove certain interesting equations 
satisfied by it. (§4) 

e We show that our semantics is already present in existing models for discrete 
and continuous probabilistic programming. (§5) 

e We show how our semantics can be generalized to commutative effects. (§6) 


2 Mathematical Preliminaries 


We are assuming that the reader is familiar with basic notions from category 
theory such as categories, functors and monads. 


Probability Theory 


Transition matrices are one of the simplest abstractions used to model stochastic 
processes. Given two countable sets A and B, the entry (a,b) of a transition 
matrix is the probability of ending up in state b € B whenever you start from 
the initial state a € A and every row adds up to 1. 


Definition 1. The category CountStoch has countable sets as objects and 
transition matrices as morphisms. The identity morphism is the identity ma- 
trix and composition is given by matrix multiplication. 


Though transition matrices are conceptually simple, they can only model 
discrete probabilistic processes and, in order to generalize them to continuous 
probability we must use measurable sets and Markov kernels. 


Definition 2. A measurable set is a pair (A, X4), where A is a set and X4 C 
P(A) is a o-algebra, i.e. it contains the empty set and it is closed under com- 
plements and countable unions. 


Definition 3. A function f : (A, Xa) > (B, Xps) is called measurable if for 
every B € Xg, f-'(B) € X4. 
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Definition 4. Let (A,’4) be a measurable space. A probability distribution 
(A, Xa) is a function u : Xa —> [0,1] such that (0) = 0, w(A) = 1 and 
(Wien Ai) = Jien (Ai): 


Given two measurable sets (A, X4) and (B, Xp) it is possible to define a 
g-algebra over A x B generated by the sets X x Y which we denote by X4 8 Xp, 
where X € X4 and Y € Xp. Furthermore, every pair of distributions ua and 
uB over A and B respectively, can be lifted to a distribution 44 ® upg over Ax B 
such that (ua  uB)(X x Y) = wa(X)up(Y), for X € X4 and Y € Xp. 


Definition 5. Let (A, X4) and (B, Xp) be two measurable spaces. A Markov 
kernel is a function f : A x Xg > [0,1] such that 


— For every a € A, f(a,—) is a probability distribution. 
— For every B € Xp, f(—,B) is a measurable function. 


Definition 6. The category Kern has measurable sets as objects and Markov 
kernels as morphisms. The identity arrow is the function ida (a ae = ul vs EA 
and 0 otherwise and Composition is given by (fog)(a,C) = f f(- (a,—)). 


Markov Categories 


The field of categorical probability was developed in order to get a more concep- 
tual understanding of Markov kernels. One of its cornerstone definitions is that 
of a Markov category which are categories where objects are abstract sample 
spaces, morphisms are abstract Markov kernels and every object has “contrac- 
tion” and “weakening” morphisms which correspond to duplicating and discard- 
ing a sample, respectively, without adding any new randomness. 


Definition 7 (Markov category [12]). A Markov category is a semicartesian 
symmetric monoidal category (C,@®,1) in which every object A comes equipped 
with a commutative comonoid structure, denoted by copyy : X + X 8 X and 
deletex : X — 1, where copy satisfies 


copy yoy = (idx 8 by,x Q idy) o (copy x @ copyy), 


where by x is the natural isomorphism Y @ X = X & Y. The category being 
semicartesian means that the monoidal product comes equipped with projection 
morphisms 7, : AQ B > A and m2 : AQ B —> B, but it is not Cartesian because 
the equation (mı 0 f,720 f) = f does not hold in general which, intuitively, 
corresponds to the fact that joint distributions might be correlated. 


Theorem 1 ([12]). CountStoch is a Markov category. 


The monoidal product is given by the Cartesian product and the monoidal 
unit is the singleton set. The copy x morphism is the matrix X x X x X —> [0,1] 
which is 1 in the positions (x, x, x) and 0 elsewhere, and the deletex morphism 
is the constant 1 matrix indexed by X 
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Theorem 2 ([12]). Kern is a Markov category. 


This category is the continuous generalization of CountStoch and the monoidal 
product is the Cartesian product with the product o-algebra and the monoidal 
unit is the singleton set {x}. The copy x morphism is the Markov kernel copy x : 
X x Xx ® Xx > [0,1] such that copyy(#,S x T)=1ifx € SNT and 0 oth- 
erwise. Its delete morphism is simply the function that given any element in X, 
returns the function which is 1 on the measurable set {x} and 0 on the empty 
measurable set. 


Linear Logic and Monoidal Categories 


We recall the categorical semantics of the multiplicative fragment of linear logic 
(MLL): 


Definition 8 ([21]). A category C is an MLL model if it is symmetric monoidal 
closed (SMCC), i.e. the functors A®— have a right adjoint A — —. 


We denote the monoidal product as ® and the space of linear maps between 
objects X and Y as X — Y, ev: ((X — Y) 8&8 X) > Y is the counit of the 
monoidal closed adjunction and cur: C(X &Y, Z) > C(X,Y — Z) is the linear 
curryfication map. We use the triple (C, 9, —) to denote such models. 


Definition 9. Let (C, 8c, lc) and (D, 8p, 1p) be two monoidal categories. We 
say that a functor F : C > D is lax monoidal if there is a morphism e€: lp > 
F(1e) and a natural transformation ux,y : F(X) 8p F(Y) > F(X 8c Y) 
making the diagrams in Figure 8 (in Appendix B) commute. 


If e and x,y are isomorphisms we say that F is strong monoidal. 

One key observation of this paper is that there are many lax monoidal func- 
tors between Markov categories and models of linear logic that can interpret 
probabilistic processes. 


3 Syntax 


In this section we will design a syntax that reflects the fact that linearity cor- 
responds to sampling, not variable usage. We achieve this by making use of a 
multi-language semantics that enables the programmer to transport programs 
defined in a Markov kernel-centric language (MK) to a linear, higher-order, lan- 
guage (LL). 

Our thesis is that in the context of probabilistic programming, linear logic, 
through its connection with linear algebra, departs from its usual Computer 
Science applications of enforcing syntactic invariants and, instead, provides a 
natural mathematical formalism to express ideas from probability theory, as 
shown by Dahlqvist and Kozen [8]. 

Therefore, since many probabilistic programming constructs, such as Bayesian 
inference and Markov kernels, can be naturally interpreted in linear logic terms, 
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FS 1 | eRe 
M,N =g | unit | letc=MinN | (M,N) | mM | mN | f(M) 
PS | gop 


Fig. 1: Syntax MK 


we believe that our calculus allows the user to benefit from the insights lin- 
earity provides to PPL while unburdening them from worrying about syntactic 
restrictions by making it possible to also program using kernels. 

We use standard notation from the literature: I’ H t : 7 means that the 
program t has type T under context I’, t{z/u} means substitution of u for x in 
t and t{a’/7W} is the simultaneous substitution of the term list @ for a variable 
list X in t. 

Both languages will be defined in this section and, for presentation’s sake, 
we are going to use orange to represent MK programs and purple to represent 
LL programs. 


3.1 A Markov Kernel Language 


We need a language to program Markov kernels. Since we are aiming at gener- 
ality, we are assuming the least amount of structure possible. As such we will be 
working with the internal language of Markov categories, as presented in Fig- 
ure 1 and Figure 4!. Note that we are implicitly assuming a set of primitives for 
the functions f. 

By construction, every Markov category can interpret this language, as we 
show in Figure 6, with types being interpreted as 


[iJ =1 


[71X72] = [r1] x [r2] 


and the contexts are interpreted using x over the interpretation of the types. 
However, as it stands, it is not very expressive, since it does not have any prob- 
abilistic primitives nor does it have any interesting types since 1 x 1 S 1. 

When working with concrete models (c.f. Section 5) we can extend the lan- 
guage with more expressive types as well as with concrete probabilistic primi- 
tives. For instance, in the context of continuous probabilities we could add a R 
datatype and a - F uniform: R uniform distribution primitive. 

Note that even though this language does not have any explicit sampling op- 
erators, this is implicitly achieved by the let operator. For instance, the program 


1 e.f. Appendix A. 
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Ti=1|r—-7 | TOT 
tu:=a | unit | Aw t | tu | tou | letxr@y=tinu 
Piss | eT 


Fig. 2: Syntax LL 


let x = uniform in x + x samples from a uniform distribution, binds the result to 
the variable x and adds the sample to itself (Fig. 2). 


3.2 A Linear Language 


Our second language is a linear simply-typed A-calculus, with the usual typing 
rules shown in Figure 5 in Appendix A, which can be interpreted in every sym- 
metric monoidal closed category as shown in Figure 7, also in Appendix A, with 
types interpreted by 


[i] =1 
[z822] = [z] 8 lz] 


[rı =r] = [r] — [r] 


and the contexts are interpreted using ® over the interpretation of the types. 
Once again, we are aiming at generality instead of expressivity. In a concrete 
setting it would be fairly easy to extend the calculus with a datatype N for 
natural numbers and probabilistic primitives such as - + coin: N that flips a fair 
coin. 

The idea behind the particular linear logic models that we are interested in is 
that, by integration, Markov kernels can be seen as linear operators between vec- 
tor spaces of probability distributions. As such, an LL program 2: N Fzz t: N 
will be denoted by a linear function between distributions over the natural num- 
bers. Therefore, from a programming point of view, variables are placeholders 
for probability distributions, i.e. computations, not values, and sampling occurs 
when variables are used. 


3.3 Combining Languages 


The main drawback of the linear calculus above is that the syntactic linearity 
restriction makes it hard to program with it, while the main drawback of the 
Markov language is that it does not have higher-order functions. In this section 
we will show how we can combine both language so that we get a calculus with 
looser linearity restrictions while still being higher-order. 


A Higher-Order Language for Markov Kernels and Linear Operators 97 


Mr | r—-7r | 8z 


M,N :=« | unit | letc=MinN | f(M) 
| (M,N) | mM | m2M 
thurz=a | unit | Art | tu | t&u | letx@y=tinu 


| sample t; as x; in M 


Fig. 3: Syntax LL+MK 


As we will show in Section 5, when looking at concrete models for these 
languages we can see that the semantic interpretations of variables in both lan- 
guages are completely different: in the MK language variables should be thought 
of as values, i.e. the values that were sampled from a distribution, whereas in the 
LL language, variables of ground type are distributions. In order to bridge these 
languages we must use the observation that Markov kernels — i.e. open MK 
terms — have a natural resource-aware interpretation of being “sample-once” 
stochastic processes and, by integration, can be seen as linear maps between 
measure spaces — i.e. open LL terms. The combined syntax for the language is 
depicted in Figure 3. 

We now have a language design problem: we want to capture the fact that 
every open MK program is, semantically, also an open LL term. The naive typing 
rule is: 


TiTi 5 2n:™mbuKM:7 
ay: MT,- 5 tn: Mt Fr, MK(M) : Mr 


The problem with this rule is that it breaks substitution: the variables in the 
premise are MK variables whereas the ones in the conclusion are LL variables. 

We solve this problem by making the syntax reflect a common idiom of PPLs: 
compute distributions (elements of M7), sample from it and then use the result 
in a non-linear continuation. This is captured by the following syntax: 


sample t,,--- tn aS £1, , £n in M 


Note that we are sampling from LL programs t; (possibly an empty list), out- 
putting the results to MK variables x; and binding them to an MK program M. 
When clear from the context we simply use sample t; as x; in M. Its correspond- 
ing typing rule is: 


SAMPLE 
n Tre Bai a ME M: T I; Fr ti: Mri O<i<n 


I\,-++ , In Farr sample t; as x; in M : Mr 
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As the typing rule suggests, its semantics should be some sort of composi- 
tion. However, since we are composing programs that are interpreted in different 
categories, we must have a way of translating MK programs into LL programs 
— as we will see in Section 4 this translation will be functorial. The operational 
interpretation of this rule is that we have a set of distributions {t;} defined using 
the linear language — possibly using higher-order programs — we sample from 
them, bind the samples to the variables {x;} in the MK program M where there 
are no linearity restrictions. Note that the rule above looks very similar to a 
monadic composition, though they are semantically different (cf. Section 4). 

With this new syntax we can finally program in accordance with our new 
resource interpretation of linear logic, allowing us to write the program 


sample coin as x in (x = x), 


which flips a coin once and tests the result for equality with itself, making it 
equivalent to true. 
This combined calculus enjoys the expected syntactic properties?. 


Theorem 3. Let I,x:7'ryt:t and Arypy u: 7 be well-typed terms, then 
T,Atpy t{a/u} 2 


Proof. The proof can be found in Appendix D. 


The following example illustrates how we can use the MK language to dupli- 
cate and discard linear variables. 


Example 1. The program which samples from a distribution t and then returns 
a perfectly correlated pair is given by: 


-F pp sample t as x in (2,2): M(T x T) 


Similarly, the program that samples from a distribution t and does not use its 
sampled value is represented by the term 


-Fz sample t as x in unit: M1 


Example 2. Suppose that we have a Markov kernel given by an open MK term 
x:NtM-:N. If we want to encapsulate it as a linear program of type MIN — 
MN we can write: 


-Frr Ameas.(sample meas as x in M): MN — MN 


Example 3. As we explain in the introduction, Dahlqvist and Kozen must add 
many primitives to their language to work around their linearity restrictions. 
For instance, in order to write projection functions R” > R™, n > m they must 
add projection primitives to the language. 


? To avoid visually polluting the proofs we will drop the color code in Theorem 3 and 
Theorem 7 
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By having compositional type constructors that can represent joint distribu- 
tions , i.e. M(r x T), it is possible to write the program sample t as x in (71 x, 73 x) 
which samples from a distribution over triples and returns only the first and third 
components by only using the syntax of products in MK. 


Unfortunately there are some aspects of this language that still are restrictive. 
For instance, imagine that we want to write an LL program that receives two 
“Markov kernels” MIN—oMIN and a distribution over N as inputs, samples from 
the input distribution, feeds the result to the Markov kernels, samples from them 
and adds the results. Its type would be 


(MN=MN)—=(MN—=MN)—MN—MN 


Even though the program only requires you to sample once from each distri- 
bution, it is still not possible to write it in the linear language. 

We will show in Section 4 how the type constructor M actually corresponds 
to an applicative functor |19], and the limitation above is actually a particular 
case of a fundamental difference between programming with applicative functors 
compared to programming with monads. 


Remark 1. We now have two languages that can interpret probabilistic prim- 
itives such as coin. However, every primitive M in the MK language can be 
easily transported to an LL program by using an empty list of LL programs: 
sample _ as _ in M. Therefore it makes sense to only add these primitives to 


the MK language. 


4 Categorical Semantics 


As it is the case with categorical interpretations of languages/logics, types and 
contexts are interpreted as objects in a category and every well-typed pro- 
gram/proof gives rise to a morphism. 

In our case, MK types 7 are interpreted as objects [7] in a Markov category 
(M, x) and well-typed programs I’ yx M : 7 are interpreted as an M mor- 
phism [J] — [7], as shown in Figure 6. Similarly, LL types z are interpreted 
as objects |r] in a model of linear logic (C, &,—) and well-typed programs 
IF yy, t: 7 are interpreted as a C morphism [J] — [z], as shown in Figure 7. 

To give semantics to the combined language is not as straightforward. The 
sample rule allows the programmer to run LL programs, bind the results to MK 
variables and use said variables in an MK continuation. The implication of this 
rule in our formalism is that our semantics should provide a way of translating 
MK programs into LL programs. In category theory this is usually achieved by 
a functor M : M > C. 

However, we can easily see that functors are not enough to interpret the 
sample rule. Consider what happens when you apply M to an MK program 
271,92 T FMEN: T: 


MIN] : M(t 8 T2) => Mr 
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To precompose it with two LL programs outputting M7, and MT we need 
a mediating morphism Hr r, : M7 @® MT2 > M(t X T2). Furthermore, if N has 
three or more free variables, there would be several ways of applying p. Since 
from a programming standpoint it should not matter how the LL programs 
are associated, we require that Hr, makes the lax monoidality diagrams to 
commute. Therefore, assuming lax monoidality of u we can interpret the sample 
rule: 


SAMPLE 
N ti 
TIX: X TOT Ii > Mri 


D Eet, MtO- D My E MIT X x Ta) “SS Mr 


In case it only has one MK variable, the semantics is given by [t]; M [W] 
and in case it does not have any free variables the semantics is €; M [N]. 

The equational theory of the LL languages is the well-known theory of the 
simply-typed A-calculus and the MK equational theory has been described, in 
graphical notation, by Fritz [12]. Something which is not obvious is understand- 
ing how they interact at their boundary. This is where M being a functor be- 
comes relevant, since from functoriality it follows the two program equivalences: 


Theorem 4. Lett, M and N be well-typed programs, 


[(Ay. sample y as z in N) (sample t as x in M)] = 
[sample t as x in (let y = M in N)] 


Proof. 


[(Ay. sample y as z in N) (sample t as a in M)] = 
[As M [M]; M [N] = [és MM]; LV) = 
[sample t as x in (let y = M in N)] 


Theorem 5. Let t be a well-typed program, 
[sample t as x in x] = [t] 
Proof. [sample t as x in x] = [t];M([2]) = [t] ;M(id) = [t] ; id = [t] 
Furthermore, we also have a modularity property that can be easily proven: 
Theorem 6. Lett, M and N be well-typed programs. If [M] = [N] then 
[sample t as x in M] = [sample t as x in N] 
The expected compositionality of the semantics also holds: 


Theorem 7. Let £1 : T1, , 8n: Tm F t: T andl; t; : 7; be well-typed terms. 
[ne D, FATRE: z| = (|R F ti : 0]8- -8T F te: ta); i Ta] H 


TLT 
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Proof. The proof can be found in Appendix D. 


SUBST 
rrur IF us: T Do: bt: IF u Eu: T 


IF tHgr/u} = t{a/ug}:7 


From this theorem we can conclude: 


Corollary 1. The Subst rule shown above is sound with respect to the categorical 
semantics. 


Lax monoidal functors, under the name applicative functors, are widely used 
in programming languages research[19]. They are often used to define embedded 
domain-specific languages (eDSL) within a host language. This suggests that 
from a design perspective the Markov kernel language can be thought of as an 
eDSL inside a linear language. 

We have just shown that M being lax monoidal is sufficient to give semantics 
to our combined language, but what would happen if it had even more structure? 
If it were also full it would be possible to add a reification command?: 


MI For t: Mr 
T FMK reify(t) eae 


where MT is notation for every variable in I’ being of the form M7’, for some 
T’. The semantics for the rule would be taking the inverse image of M. As we 
will show in the next section, there are some concrete models where M is full 
and some other models where it is not. Computationally, fullness of M can be 
interpreted as every program of type Mr — Mr’ being equal to a Markov 
kernel. 

A property which is easier to satisfy is faithfulness, which is verified by both 
models in the next section. In this case the translation of the MK language into 
the LL language would be fully-abstract in the following sense: 


Theorem 8. Let x: 7 FM:n anda: FN : 7 be two well-typed MK 
programs. If M is faithful then [sample y as x in M| = [sample y as x in N] 
implies |M] = [N]. 


Proof. [sample y as x in M] = [sample y as x in N] => idman; MM] = 
idman; M [N] => [M] = [5]. 


5 Concrete Models 


In this section we show how existing models for both discrete as well as contin- 
uous probabilities fit within our formalism. 


3 The proposed rule breaks the substitution theorem, but it is possible to define a 
variant for it where this is not the case. 
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5.1 Discrete Probability 


For the sake of simplicity we will denote the monoidal product of CountStoch 
as x. 

The probabilistic coherence space model of linear logic has been extensively 
studied in the context of semantics of discrete probabilistic languages] 9]. 


Definition 10 (Probabilistic Coherence Spaces [9]). A probabilistic co- 
herence space (PCS) is a pair (|X|,P(X)) where |X| is a countable set and 
P(X) C |X| > R* is a set, called the web, such that: 


— Va € X Jea > 0 £a: 0a E P(X), where 6,(a') = 1 iffa =a’ and 0 otherwise, 
and we use the notation £a = e(a); 

— Va € X Arg Va E P(X) ta < Aa; 

— P(X) =P(X), where P(X)+ = {a € X > Rt |Vu € P(X) Yue x Fava S 
1}. 


We can define a category PCoh where objects are probabilistic coherence 
spaces and morphisms X — Y are matrices f : |X| x |Y| — Rt such that for 


every v € P(X), (fv) € P(Y), where (fv), = Jacal Fia,b)Va- 


Definition 11. Let (|X|,P(X)) and (|Y|,P(Y)) be PCS, we define X & Y = 
(|X| x IY], {18y |x € P(X), y € P(Y)} >), where (x ® y)(a, b) = x(a)y(b) 


Lemma 1. Let X be a countable set, the pair (X,{u:X > RT| Y ex H(z) < 
1}) is a PCS. 


Proof. The first two points are obvious, as the Dirac measure is a subprobability 
measure and every subprobability measure is bounded above by the constant 
function j11 (a) = 1. 

To prove the last point we use the — easy to prove — fact that PX C PXL, 
Therefore we must only prove the other direction. First, observe that, if u € {pu : 
X > Rt| Dyex u(a) < 1}, then we have X (2) (2) = X 1p(x) = Yule) < 
1, pı € {u : X > R| Vex H(z) < 1}. 

Let f € {u : X > RT| Xex ulz) < 1}}+. By definition, X A(x) = 
X` A(x)uı(x) < 1 and, therefore, the third point holds. 


This lemma can be used to give semantics to probabilistic primitives. For 
instance, a fair coin is interpreted as a function coin : N — [0,1] which is .5 at 0 
and 1 and 0 elsewhere and is an element of P(N). 


Lemma 2. Let X — Y be a CountStoch morphism. It is also a PCoh mor- 
phism. 


Theorem 9. There is a lax monoidal functor M : CountStoch — PCoh. 


Proof. The functor is defined using the lemmas above. Functoriality holds due 
to the functor being the identity on arrows. The lax monoidal structure is given 
by g= idı and UXY = idxxy 
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Lemma 3. If u € {x @y|x € M(X),y € M(Y)}+ then for every x € X and 
y EY, way) <1. 


Proof. If there were such indices such that u(x1,y1) > 1 then X SO u(x, y) (dz, Q 
ôy (2, Y) > w(@1, Y1) (bx, @ by, (21, yr) = (z1, yr) > 1, which is a contradiction. 


Lemma 4. Let X and Y be two countable sets, then 


MX @MY =|XxY,{u:XxYOR*| X` $ u@,y) <1} ] = 
cEX yeY 


M(X xY). 


Proof. By the lemma above it follows that if we have a joint probability distri- 
bution ji over X x Y and an element u € {£8 y|x E€ M(X), y E€ M(Y)}+ then 


Dul, yil y) <E Aly) <1. 
Theorem 10. Both € and x,y are isomorphisms. 


Proof. Since e€ is the identity morphism, it is trivially an isomorphim. The mor- 
phisms 1x, y being an isomorphism is a direct consequence of the lemmas above. 


Theorem 11. The functor M is full. 


Both results above can be directly used to enhance the syntax of the combined 
language. From Theorem 10 we can conclude that elements of type M(7 x 72), 
by projecting their marginal distributions, can be manipulated as if they had 
type M7 ® MT2. Something to note is that when we do this marginalization 
process we lose potential correlations between the elements of the pair. 


5.2 Continuous Probability 


In order to accommodate continuous distributions we can use regularly ordered 
Banach spaces, whose detailed definition goes beyond the scope of this paper. 


Definition 12 ([8]). The category RoBan has regularly ordered Banach spaces 
as objects and regular linear functions as morphisms. 


Theorem 12. There is a lax monoidal functor M : Kern > RoBan. 


Proof. The functor acts on objects by sending a measurable space to the set of 
signed measures over it, which can be equipped with a RoBan structure. On 
morphisms it sends a Markov kernel f to the linear function M(f)(u) = f fdp. 

The monoidal structure of RoBan satisfies the universal property of ten- 
sor products and, therefore, we can define the natural transformation x,y : 
M(X)@M(Y) > M(X xY) as the function generated by the bilinear function 
M(X); M(Y) — M(X x Y) which maps a pair of distributions to its product 
measure. The map € is, once again, equal to the identity function. 

The commutativity of the lax monoidality diagrams follows from the universal 
property of the tensor product: it suffices to verify it for elements uA ® Up ® uc. 
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In RoBan the uniform distribution over the interval [0,1] is an element of 
MR, meaning that it can soundly interpret a - fz, uniform : MR primitive. 

Even though M looks very similar to the discrete case, it follows from a well- 
known theorem from functional analysis that the functor is not strong monoidal, 
meaning that there are joint probability distributions (elements of M(A x B)) 
that cannot be represented as an element of the tensor product M(A) @ M(B) 
and, as such, programs of type M(A x B) must be manipulated in MK language, 
as shown in Example 3. 


6 Beyond Probability 


We have seen that this new resource interpretation is present in different models 
of linear logic models for probabilistic programming. In this section we show 
that this model can be generalized to commutative effects, i.e. effects where the 
program equation Commutativity below holds. Categorically, these effects are 
captured by monoidal monads*. Due to length issues, we will not fully detail the 
definition of monoidal monads, but we suggest the interested reader to read Seal 
[23]. 


COMMUTATIVITY 
TrQu:n Tb tg: 72 liT Y TPF uit 


let zı = tı in (let vg = tg in u) = let xg = t2 in (let zı = tı in u): T 


Definition 13 ([23]). Let (C, 9, I) be a monoidal category and (T, n, p) a monad 
over it. The monad T is called monoidal if it comes equipped with a natural trans- 
formation kxy :TX @TY > T(X @Y) making certain diagrams commute 


For probability monads the transformation « corresponds to forming the 
product probability distribution and, more generally, this can be thought of a 
program that runs both of its (effectful) inputs and pairs the outputs. 

Every monad give rise to the interesting categories Cr and CT which are, 
respectively, the Kleisli category and Eilenberg-Moore category. The objects of 
Cr are the same as C and morphisms between A and B are C morphisms 
A — TB, with the identity morphism being equal to the unit 7 of the monad 
and composition is given by f;g = f;Tg; p. 

The objects of the category CT are pairs (X, x), where X is a C object and 
x: TX — X is a C morphism such that u;x = Tx;x and ņ;x = idx, and 
morphisms between objects (X, x) and (Y, y) are C morphisms f : X — Y such 
that «; f =Tf;y. 

For every monad T there is a canonical inclusion functor + : Cr — CT which 
maps X to (TX, u) and f: X >Y to Tf; py. 


Theorem 13 ([5]). The functor ı is full and faithful. 


4 Monoidal monads are equivalent to commutative monads, which is the nomenclature 
usually used in the context of programming languages semantics. 
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As we explain in Appendix C, assuming enough structure on the category C 
we can show that the triple (Cr, C7,) is a model to the MK+LL language and 
we can bring our new resource interpretation of linear logic to other commmu- 
tative effects. 

An illustrative example is the powerset monad P : Set — Set which is 
monoidal and since Set has the necessary structure, the triple (Cp,C”,P) is a 
model to our language and can be used to give semantics to non-deterministic 
computation. 

In the context of commutative effects other than randomness, the syntax 
sample t as x in M does not make as much sense, in which case we can use the 
syntax observe t; as x; in M instead. Once again, operationally, the programs t; 
are fully executed, the values are bound to x; in M which is then executed. 

Furthermore, other effects have other relevant effectful operations and, there- 
fore, we can assume that there is a set of operations in the MK language that are 
interpreted in the Kleisli category and can be transported to LL using observe, 
similar to how it was done in the probabilistic case. 

For the non-deterministic case we can assume the existence of typing rules 
for non-deterministic choice and failure: 


CHOICE NULL 
lF FmkKkti:T I FmkKt2:T 
IFumukx ti ®tz:T l 'uK iir 


satisfying the expected equations and interpreted using set-theoretic union and 
the empty set, respectively. 

A similar connection between linear logic and monoidal monads has been 
made by Benton and Wadler|4|, where they want to relate Moggi’s monadic 
A-calculus with linear logic by showing that if a monad is monoidal and the 
category has equalizers and coequalizers, then the Eillenberg-Moore category is 
a model of linear logic. 


7 Related Work 


Semantics of Probabilistic Programming Ehrhard et al. [11,10] have de- 
fined a model of linear logic CLin which can be used to interpret a higher-order 
probabilistic programming language. They have used the call-by-name transla- 
tion of intuitionistic logic into linear logic A > B =!A — B to give semantics to 
their language. The authors extend their language with a call-by-value let syntax 
which makes it possible to reuse sampled values. In order to give semantics to 
this new language they introduce a new category CLinm which can interpret 
this new operator, at the cost of complicating their model. 

Because there is an analogous proof of Theorem 12 with the category CLin 
replacing RoBan, we can use their original, simpler, model to interpret our 
language, while not needing to use the linear logic exponential to interpret non- 
linear programs. 
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Dahlqvist and Kozen [8] have defined a category of partially ordered Banach 
spaces and shown that it is a model of intuitionistic linear logic. An important 
difference from their approach and the one mentioned above is that they embrace 
variable linearity as part of their syntax. As we argued in this paper, we believe 
that the syntactic restriction of linearity they have used is not adequate for the 
purposes of probabilistic programming. They deal with this limitation by adding 
primitives to their languages which, by using the results of Section 5, could be 
programmed using the MK language. 

Quasi Borel spaces [15] are a conservative extension of Meas that are Carte- 
sian closed and have a commutative probability monad. The drawback of this 
model is that it is still not as well understood as its measure-theoretic coun- 
terpart, and there are theorems from probability theory used to reason about 
programs that may not hold in the category of quasi Borel spaces QBS. 

Recently, Geoffroy [13] has made progress in connecting linear logic and quasi 
Borel Spaces by showing that a certain subcategory of the Eillenberg-Moore 
category for the probability monad in QBS is a model of classical linear logic, 
which we see as an instance of our model where the MK language can have 
higher-order functions as well. 


Call-by-Push-Value The idea of having two distinct type systems that are 
connected by a functorial layer is reminiscent of Call-by-Push-Value (CBPV) 
[17], which has a type system for values and a type system for computations that 
are connected by an adjunction. In recent work, Ehrhard and Tasson [24] use the 
Eilenberg-Moore adjunction of the linear logic exponential ! to give semantics to 
a calculus that can interpret lazy and eager probabilistic computation, allowing 
for the interpretation of an eager let operator which is operationally similar to 
our sample construct. However, the existence of the let operator depends on 
properties of the ! that are unknown to hold for continuous distributions, while 
our semantics can naturally deal with continuous distributions as we have shown 
in Section 5. 

Furthermore, the exponential which lies at the center of their approach is, 
semantically, hard to work with and does not have any clear connections to 
probability theory, making it unlikely that their semantics can be seen as a 
bridge between the Markov and linear semantics, which is the case for the models 
presented in Section 5. 

Goubault-Larrecq [14] has defined a CBPV domain semantics to a language 
that mixes probability and non-determinism, a long-standing challenge in the 
theory of programming languages. His focus is in understanding how to make 
probability interact with non-determinism in a sound way. He studies the full- 
abstraction of his semantics but does not deal with connections to linear logic. 
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A Typing Rules and Denotational Semantics LL and MK 


VAR UNIT 
Des a ET TFH unit: 1 
LET PRIMITIVE 
TFM:n Pe ay aN oe TEM ¿T fin >n 
FRiletx=MinN:+ T HfM): T 
PAIR ProJl PROJ2 
TEM iTi TEN: 


ELM: xX Te 
TlrmM:71 


TEM: X Te 


TE (M,N): 71 X 72 T+ 12M :72 


Fig. 4: Typing rules MK 


ABSTRACTION 
AXIOM UNIT P22 Ft: 
tori gt a Hunit: 1 TF An. t: 71 — T2 
APPLICATION TENSOR 
Ii tifi — Te Ig-uin Irti DL Fu:n 


Ti fak tuit 


Py tor tR: TES T 


LETTENSOR 


I, Ft: T L502 Fa, T FUT 


MN ,fohletcx@y=tinu:t 


Fig. 5: Typing rules LL 


PAIR 
VAR 


M N 
To I Te 


delete x id 
I xt — 


co MXN 
I1XT&r rS; rx. 2 nxn 


PROJ LET 
M M N 
P41 Xt ro 1 rxn =T 
M;(id-,, Xdelete co idrxM);N 
¡(idr le, ey r B. pyg p ae ) e 
PRIMITIVE 
M 
ro Ti ER T2 


M á 
Fy Fee 


Fig. 6: Denotational semantics for MK 
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TENSOR 
AXIOM Ln Bae 
p idr F TI t1@t2 neon 
LETTENSOR ABSTRACTION 
DSN DONIN >T ren >p 
ROR (id@®t);u T r cur([t]) nT 
APPLICATION 
Non-2m hon 
I, @I» eae, T2 
Fig. 7: Denotational semantics for LL 
B Commutative Diagrams 
(F(X) 8p F(Y)) 8p F(Z) a > F(X) @p (F(Y) 8c F(Z) 
uQid idu 
F(X 8c Y) 8p F(Z) F(X) 8p F(Y 8c Z) 
u H 
F((X 8c Y) 8c Z) Fa > F(X 8c (Y 8c Z)) 
18p F(X) ——2"5 _, F(1) 8p F(X) F(X) 8p 1 —— >; F(X) 8p F(1) 
F(X) ~ F(1 @c. X) F(X) ~ F(X @c 1) 


FUS) F(rP) 


Fig. 8: Lax monoidal diagrams 


C Monoidal Monads and Their Algebras 


An important theorem from the categorical probability literature is that Markov 
categories are an abstraction of programming in the Kleisli category of monoidal 
affine monads, where affinity means that T1 = 1. 


Theorem 14 ([12]). Let (C,x,1) be a cartesian category and T: C > C a 
monoidal (affine) monad. The Kleisli category Cr is a Markov category. 
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The monoidal product of Cr is x with unit 1, the copy operation is given 
by Ax;nx : X + T(X x X) and the deletion operation is given by T1 S 1 and 
1 being terminal. 

Furthermore, under certain conditions, the Eilenberg-Moore category C7 for 
monoidal monads is symmetric monoidal closed. The monoidal unit is given by 
TI, the monoidal product is given by the coequalizer depicted in Figure 9 and 
the closed struture is given by the equalizer depicted in Figure 10. 


Theorem 15. Let C be a symmetric monoidal closed category with equalizers, 
reflexive co-equalizers and T : C —> C a monoidal monad. The category CT is 
also symmetric monoidal closed. 


T(TX @ TY) —** > TT(X 8Y) ———— > T(X 8Y) —+ X@rY 


S eee 


T(18y) 


Fig. 9: Symmetric Monoidal Structure in CT 


X —rY +X T sy 
x—idy 


Fig. 10: Closed Structure in CT 


Even though, in general, in order to define the monoidal product one requires 
a coequalizer, for our purposes we are only interested in products of the form 
TA &r TB which, luckily, are easier to characterize, since the equality TX &r 
TY =T(X & Y) holds [23]. 

In this case the lax monoidal transformations ux, y : TX @rTY > T(X 8Y) 
and e : FI — FI are simply the identity morphisms. Besides, by using the uni- 
versal properties of coequalizers it is possible to show the equality Q7x ,ry,rz = 
ax y,z, Where a is the associator for the monoidal product &r. 


Theorem 16. Let C be a symmetric monoidal category with reflexive co-equalizers 
and T : C + C a monoidal monad. The triple (t, u, €) is a lax monoidal functor. 


Proof. The proof follows by unfolding the definitions. 
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D Proofs 


Theorem 3. Let yx: mı F t: cr and AF u: m be well-typed terms, then 
DT, At t{a/u}:r 


Proof. The proof follows by structural induction on the typing derivation I, x : 
mE tit: 


— Axiom: Since t = x then t{z/u} = u and 7 =r. 

— Abstraction: By hypothesis, a : 7,,y : T2 F t : 73. Since we can assume 
wlog that x A y and that y ¢ A, Ay. t{a/u} = Ay. t{x/u}. Therefore we 
can show that T, A F Ay. t{a/u} : T2 — T3 by applying the rule Abstraction 
and by the induction hypothesis. 

— Application: tı to{a/u} = tı{x/u} t2{x/u}. Since the language LL is linear, 
only one of tı or t2 will have zx as a free variable. By symmetry we can assume 
that tı has x as a free variable and we can prove T, At ti{a/u} to : z by 
applying the rule Application and by the induction hypothesis. 

— Sample: It is easy to prove that (sample t as y in M){a/u} = 
sample (t{a/u}) as y in M 


Theorem 7. Let £1 : T1, +° , En : Tn F t: 7 and I; F t; : 7; be well-typed terms. 
[r TAE | = (nH t: a]e e [ih F tn: m]); Ta] 


EiT: 
Proof. The proof follows by induction on the typing derivation of t. 


— Axiom: Since t = x then t{x/to} = to and [t{x/to}] = [to] = [to]; id = 
[tol ; [e]. 

— Unit: Since t = æ then t{a/to} = to and [t{x/to}] = [to] = [to]; id 
[tol ; [e]. 

— Tensor: We know that t = tı ® tg. Furthermore, from linearity we know that 
each free variable appears either in tı or in t2. Without loss of generality we can 
assume that (t1@t2){v1,-++ ,En/U1;, t Un} = (tif 21, ,Ek/U1, + Upp )@ 
(t2{£k+1;, © ,En/Uk+1;;** ,Un}). We can conclude this case from the induc- 
tion hypothesis and functoriality of ®. 

— LetTensor: This case follows from the functoriality of ® and the induction 
hypothesis. 

— Abstraction: This case follows from unfolding the definitions, using the in- 
duction hypothesis and by naturality of cur. 

— Application: Analogous to the Tensor case 

— Sample: This case is analogous to the Tensor case. 


II 
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Abstract. We present a domain-specific type theory for constructions 
and proofs in category theory. The type theory axiomatizes notions of 
category, functor, profunctor and a generalized form of natural trans- 
formations. The type theory imposes an ordered linear restriction on 
standard predicate logic, which guarantees that all functions between 
categories are functorial, all relations are profunctorial, and all trans- 
formations are natural by construction, with no separate proofs neces- 
sary. Important category-theoretic proofs such as the Yoneda lemma and 
Co-yoneda lemma become simple type-theoretic proofs about the rela- 
tionship between unit, tensor and (ordered) function types, and can be 
seen to be ordered refinements of theorems in predicate logic. The type 
theory is sound and complete for a categorical model in virtual equip- 
ments, which model both internal and enriched category theory. While 
the proofs in our type theory look like standard set-based arguments, the 
syntactic discipline ensure that all proofs and constructions carry over 
to enriched and internal settings as well. 


1 Introduction 


Category theory is a branch of mathematics that studies higher-dimensional 
typed algebraic structures. Originally developed for applications to homologi- 
cal algebra, it was quickly discovered that categorical structures were common 
in logic and computer science. Formal systems like logics, type theories and 
programming languages typically have sound and complete models given by 
notions of structured categories [31,30,34]. This Curry-Howard-Lambek corre- 
spondence applies to simply typed lambda calculus [30], computational lambda 
calculus [34], linear logic [24] dependent type theory [14,45], and many other 
type theories designed based on category-theoretic semantics. The syntax of a 
type theory should present an initial object in its category of models, a category- 
theoretic reformulation of logical soundness and completeness. 

While this research program has been quite successful, category-theoretic 
notions can be overwhelming for beginners. In a traditional set-theoretic for- 
mulation, notions such as adjoint functors and limits produce a proliferation of 
“naturality” and “functoriality” side-conditions that must be discharged. For 
example, when constructing an adjoint pair of functors between two categories, 
a naïve approach would define all of the data of the action on objects, action on 
arrows, prove the functoriality of such actions, as well as construct two families 
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of transformations, prove they are natural and then finally proving a pair of 
equalities relating compositions of natural transformations. Carrying out these 
proofs explicitly is quite tedious and many newcomers are left with the impres- 
sion that category theory is full of long, but ultimately trivial constructions. 
This complexity is compounded when moving from ordinary category theory to 
enriched and internal category theory, where constructions must be additionally 
proven continuous, monotone, etc, in addition to natural or functorial. However, 
these generalizations are often exactly what is needed for programming language 
applications; for example, domain-, metric- and step-index-enriched categories 
have been used to model recursive programming languages and internal cate- 
gories have been used to model parametricity and gradual typing [53,9,44,36]. 


Fortunately, the tools of category theory itself can be employed to simplify 
this complexity, specifically the tools of higher category theory. As an analogy in 
differential calculus, when an adept analyst writes down a function, they do not 
expand out the e—6 definition of continuity for a function and proceed from first 
principles, but rather use certain syntactic principles for defining functions that 
are continuous by construction — e.g. that composition of continuous functions is 
continuous. Similar principles apply to category theory itself: functors and natu- 
ral transformations are closed under composition and whiskering operations, and 
experienced category theorists rely on these syntactic principles to eliminate the 
tedium of explicit proofs. In the case of category theory, these principles can be 
formalized using algebraic structures such as 2-categories, bicategories, Yoneda 
structures, (virtual) double categories, pro-arrow equipments [6,56,49,32,17], an 
approach known as formal category theory. In these structures, rather than defin- 
ing notions of category, functor and natural transformation from first principles, 
they are axiomatized in a manner similar to how a category axiomatizes a notion 
of space and homomorphism. Proofs in formal category theory apply to enriched 
and internal settings, which are instances of the formal axioms. A downside 
is that these algebraic structures are quite complicated, and practitioners typ- 
ically employ either an algebraic combinator syntax (formalized in [18]) or a 
2-dimensional diagrammatic language that can be quite beautiful and elegant, 
but is also somewhat removed from the traditional formulation of category the- 
ory in terms of sets and functions. 


In this work, we apply the techniques of categorical logic to define a more 
familiar logical syntax for carrying out constructions and proofs in formal cate- 
gory theory. We call the resulting theory virtual equipment type theory (VETT) 
as (hyperdoctrines of) virtual equipments [32,17], a particular semantic model 
of formal category theory, provide a sound and complete notion of model for the 
theory. VETT provides syntax for categories, functors, profunctors, and natural 
transformations, which are defined using familiar term syntax and (7 reasoning 
principles for A-functions, bound variables, tuples, etc. By adhering to a syn- 
tactic discipline, the logic guarantees that all functor terms are automatically 
functorial, and all natural transformation terms are natural. More specifically, 
the syntax for transformations is a kind of indexed, ordered linear lambda calcu- 
lus, where the indexing ensures that transformations are correctly natural and 
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the ordering and linearity ensure that the proofs are valid in a large class of en- 
riched and internal categories, such as enrichment in a non-symmetric monoidal 
category. VETT provides an alternative to algebraic and string-diagram syn- 
taxes for working with virtual equipments, similar to how the lambda calculus 
provides an alternative to categorical combinators and string diagram calculi for 
cartesian closed categories. 


The syntax of VETT is an indexed, ordered linear, proof-relevant variant of 
predicate logic over a unary type theory. Just as a predicate logic has a notion of 
type, term, relation and implication, VETT is based on four analogous category- 
theoretic concepts: categories, functors, profunctors and natural transformations 
of profunctors. Categories are treated like types, and the unary functors we con- 
sider in this paper are each represented by a term whose type is a category and 
whose one free variable ranges over a category. The analog of a relation is a 
profunctor (defined below), which is written like a set with free category vari- 
ables. Like the restriction to unary functors, we restrict to profunctors with two 
free variables. The logic is proof-relevant in that the implications of relations are 
generalized to natural transformations of profunctors, and we use a A-calculus 
notation to describe these “proof terms”. This analogy to predicate logic can be 
made formal: any construction in VETT can be erased to a corresponding con- 
struction or proof in predicate logic, as sets, functions, relations, and implication 
of relations define a (somewhat degenerate) virtual equipment. 


While the restricted syntax developed in this paper does not express some 
important concepts such as functor categories or opposite categories, the re- 
striction is natural in that it corresponds exactly to virtual equipments, a well- 
understood notion of model that can express a great deal of fundamental results 
and constructions in category theory [43,47]. Moreover, we can work around 
these unary/binary restrictions to some extent by viewing the type theory as a 
domain-specific language embedded in a metalanguage. For example, while we 
cannot talk about functor categories, we can state a theorem that quantifies 
over functors using the meta-language’s “external” universal quantifier (which 
does not have automatic functoriality/naturality properties). To support this, 
VETT includes a third layer, an extensional dependent type theory in the style 
of Martin-Lof type theory. All of our ordered predicate logic judgments are also 
indexed by a context from this dependent type theory, and the type theory 
includes universe types for categories, functors, profunctors and natural trans- 
formations. This allow us to formalize theorems the object logic is too restrictive 
to encode, analogous to 2-level [51,2,39] or indexed type theories [27,15,52,29]. 


While we emphasize the applications to enriched and internal category theory 
in this work, there is potential for more direct application to programming lan- 
guage semantics. Ordinary predicate logic is the foundation for proof-theoretic 
presentations of logical relations, such as Abadi-Plotkin logic for parametricity 
and LSLR and Iris for step-indexed logical relations proofs [40,20,28]. We con- 
jecture that VETT might similarly serve as the foundation for a logic of ordered 
structures, which abound in applications: rewriting and approximation relations 
can both be modeled as orderings and logical relations involving these structures 
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are proven to respect orderings; operational logical relations must be downward- 
closed and approximation relations should satisfy transitivity. Just as LSLR and 
Iris release the user from the syntactic burden of explicit step-indexing, VETT 
may be used to release the user from the syntactic burden of proving downward- 
closure or transitivity side-conditions. Additionally, VETT may serve as the 
basis of a future domain specific proof assistant for category-theoretic proofs. 
To pilot-test this, we have formalized the syntax of VETT in Agda 2.6.2.2, us- 
ing the rewrite mechanism to make VETT’s substitution and (-reduction rules 
definitional equalities.1 We have used this lightweight implementation to check 
a number of examples. 

Basics of Profunctors. While we assume the reader has some background 
knowledge of category theory, we briefly define profunctors, which are not in- 
cluded in many introductory texts. Recall that a category C has a collection of 
objects and morphisms with identity and composition, and a functor F : C + D 
is a function on objects and a function on morphisms that preserves identity and 
composition. A category can be thought of as a generalization of a preordered 
set, which has a set of elements and a binary relation on its objects satisfying 
reflexivity and transitivity. A category is then a proof-relevant preorder, where 
morphisms are the proofs of ordering, and the reflexivity and transitivity proofs 
must satisfy identity and unit equations. A functor is then a proof-relevant mono- 
tone function. Given categories C and D, a profunctor R from C to D, written 
R:C + D is a functor R : C° x D > Set?. Because a profunctor outputs a 
Set rather than a proposition, it is itself a proof-relevant relation. Thinking of 
categories as proof-relevant preorders, functoriality says that the profunctor is 
downward-closed in C and upward-closed in D. Given profunctors R, S : C » D, 
a homomorphism from R to S' is a natural transformation, which in the pre- 
ordered setting is simply an implication of relations. 

Profunctors are very useful for formalizing category theory, but an additional 
reason we make them a basic concept of VETT is that they allow us to give a 
universal property for the type of “morphisms in a category ©”. This is analogous 
to how the J elimination rule for the identity type in Martin-Löf type theory 
gives a universal property for morphisms in a groupoid (the special case of a 
category where all morphisms are invertible) [26,5,50]. The reason profunctors 
are useful for this purpose is that, for any category C, Home : C ~ C is 
a profunctor. On preorders this is just the preorder’s ordering relation itself. 
Moreover, the hom profunctor is the unit for a composition of profunctors ROS 
which is defined as a co-end. The composition of profunctors is a generalization 
of the composition of relations, and just as the equality relation is the identity 
for the composition of relations, the hom profunctor is the identity for this 
composition. The unit law for the hom profunctor can be seen as a “morphism 
induction” principle, analogous to the “path induction” used in homotopy type 
theory (though in this paper we consider only ordinary 1-dimensional categories, 
not higher generalizations). 


' https://github.com/maxsnew/virtual-equipments/blob/master/agda/STC.agda 
2 C° is the notation we use for the opposite category of C 
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Outline. In Section 2 we introduce the syntax of VETT. In Section 3 we 
demonstrate how to use our syntax for formal category theory. In Section 4, we 
develop some model theory for VETT, including a sound and complete notion 
of categorical model and sound interpretation in virtual equipments modeling 
ordinary, enriched and internal category theory. In Section 5, we discuss related 
type theories and potential extensions. 


2 Syntax of VETT 


In Figure 1 we give a table summarizing the relationship between the judgments 
and connectives of higher-order predicate logic with our ordered variant. Due 
to the incorporation of variance, some unordered concepts generalize to multi- 
ple different ordered notions. For instance, covariant and contravariant presheaf 
categories generalize the power set. Further, because we only have binary rela- 
tions rather than relations of arbitrary arity, we have only restricted forms of 
universal and existential quantification which come combined with implications 
and conjunctions. 


Higher-Order Logic Virtual Equipment Type Theory 
Set X Category C 
XxY CxD 
1 1 
PX PX and P-X 
{(2,y) € X x Y|R(x,y)} Zac; R 
Function f(a: X): Y Functor/Object a: Cf A: D 
Relation R(x, y) Profunctor/Set a: ©;8:DF R 
RAQ RxQ 
T 1 
Yr.P >Q Pov“ Q and QY“CaP 
3r.P AQ Po Q 
Z=xy ae B 
Proof V@.Ri A- > Q |Nat. Trans./Element a1, xı : Ri(ai,a2),...- t: Q 


Fig. 1. Analogy between Higher-Order Logic and VETT Judgments and Connectives 


The syntactic forms of VETT are given in Figure 2. First, we have cate- 
gories, which are analogous to sorts in a first-order theory. We have M a base 
sort, product and unit sorts, as well as the graph of a profunctor and the nega- 
tive and positive presheaf categories. Next, objects a,b,c are the syntax for the 
functors between categories. We call them objects rather than functors, because 
in type-theoretic style, a functor is viewed as a “generalized object” parameter- 
ized by an input variable a: C. Next, sets P, Q, R are the syntax for sets. These 
sets denote profunctors, i.e., a categorification of relations. Similar to functors, 
rather than writing profunctors as functions C° x D — Set, we write them as 
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sets with a contravariant variable a : C and a covariant variable 8 : D. The sets 
we can define are the Hom-set, the tensor and internal hom, as well as products 
of sets, profunctors applied to two objects and elements of positive and nega- 
tive presheaves. Finally we have elements of sets, which correspond to natural 
transformations of multiple inputs, where again we view natural transformations 
valued in a profunctor as generalized elements of profunctors. 

After these forms we have types and terms, which represent the meta-language 
that we use to talk about categories/profunctors/natural transformations. In ad- 
dition to standard dependent type theory with IJ and X and identity types, we 
have universes of categories, functors, profunctors and natural transformations. 

Finally we have several forms of context which are used in the theory. The 
contexts I" of term variables with their types are as usual; we write “I type 
context” to indicate that a context is well-formed. We name the remaining con- 
texts after the judgements that they are used by. The set contexts 5, which will 
be used to type-check sets, contain object variables with their categories. The 
two forms of set context are a : C, containing one variable that can be used 
both contravariantly and covariantly, and a: C; 8 : D, containing a contravari- 
ant variable œ and covariant variable Ø. Finally, the transformation contexts 
® contain element variables with their sets, alternating with those sets’ object 
variables with their categories. A typical ® has the shape 


ay: C1, z1 : Ri (a1, a2), a2 : Co, £2 : Rə(a2, a3), - a Ra l(än Anyi) anya : Cna 


and represents the composition of the “relations” R1, Ro, R3,..., Rn. We write 
d~ (Ð) for the first category variable in (which we regard as the negative or 
contravariant position), d+(®) for the last category variable in (which we 
regard as the positive or covariant position) and use the notation d*£ with the 
same meaning. We write ©; Y ®2 for the append of two transformation contexts, 
which is only well-formed when the last variable in ©; is equal to the first variable 
in 2. Formal inductive definitions are in the appendix, but intuitively: 


d~ (ay : C1, 21: Rı (a1, a2), eeen : Rn (an, An), n41 : Cn41) =: Cı 
dt (a : C1, z1 : Rı (a1, 2), tery Un: Fig (An, An), Oinat : Cn41) = Ant+1 : Crn+1 
(1, b : D) Y (6: D, 82) = $1, p : D, ®2 


Next, we overview our basic judgement forms. We have 


— Categories: I’ H C Cat, where I’ type context. 

— Objects/functors: [| a: CF a: D, where I A C Cat and I H D Cat. Ob- 
jects are typed with an input object variable a: C and an output category 
D; in the semantics, objects are modeled as functors C > D. 

— Sets/profunctors: I | 2+ S Set, where l'H = set context. A set S is typed 
with respect to a set context = to describe its covariant /contravariant depen- 
dence on some input objects. Sets are semantically modeled as profunctors. 

— Elements/natural transformations: I’ | ®t s : R, where I’ H @ trans. context 
and I | F R Set. A transformation s has a context ® of transformation 
variables and a single output set R. To be well-formed, the context and set 
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Categories C, D,E :=|M|]|CxD|1/>0,.,P|P C| PHC 
Objects a,b,c ::= a| Ma | (a,b) | O) | mia | (a_,a4,s)| T-a | T+a | àa : C.R 
ap 
Sets P,Q, R :=a>cb|POQ| Pf Q|S*sR|1|PxQ 
| M(a;b)|bealaab 


Elements s,t,u ::= x | ind_,(a.t, b1, 5, b2) | id, | indo (z, 8, y.r; s) | (s,b,t) | soft 
| A(x, a).s | s*<t | Aa, x).s | mis | (81,82) | O | tea | M? 
Type A,B,C :=...| SmallCat | Cat | Fun C D | Prof € D | Ya : C.R 
Term L, M,N ::=...|[C] | àa : C.a | Afa : C; 8 : D).R | Aat 
Type Context I,A :=.|T,X:A 
Set Context £,Z s=a:Cla:C;8:D 
Trans. Context $,” :=a:C|@,2:P,8:D 


Fig. 2. VETT Syntactic Forms 


must be parameterized by the same contravariant and covariant object vari- 
ables. To ensure this, we use a coercion operation ® from transformation 
contexts to set contexts that erases everything in the context but the left- 
most and right-most object variables (a : C = a: C and 8 = d7 (8); d*(®)). 

— Meta-language types and terms: [+ A Type and FH- M : A as in standard 
dependent type theory. 


The variable rules for objects and elements are 


TFla:Cra:€ Fla:C,c#:R,B:Dra:R 


As when using variables in linear logic, the latter rule applies only when the con- 
text contains a single set R. All syntactic forms typed in context admit an action 
of substitution. For types and terms, this is as usual. Objects a: C F a: D can 
be substituted for object variables 8 : D in other objects. We can also substitute 
objects into sets, that is, if we have a set P parameterized by a contravariant 
variable a : C and a covariant variable 6 : D, then we can substitute objects 
a : C and b : D for these variables P[a/a;b/6]. This generalizes the ordinary 
precomposition of a relation by a function. Semantically this is the “restriction” 
of a profunctor along two functors, which is just composition of functors if a pro- 
functor is viewed as a functor to Set. Modeling this operation as a substitution 
considerably simplifies reasoning using profunctors. Finally we have the action 
of substitution on elements/natural transformations. First, we can substitute 
elements/natural transformations for the set variables in elements, denoting the 
composition of natural transformations. Second, an element is also parameter- 
ized by a contravariant and a covariant category variable a; 8. We can think 
of natural transformations as polymorphic in the categories involved, and so 
when we make a transformation substitution, we also instantiate the polymor- 
phic category variables with objects. The full syntactic details of substitution 
are included in the appendix. 
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2.1 Category Connectives 


In this section we discuss some connectives for constructing categories, which are 
specified by introduction and elimination rules in Figure 3 (the 67 equality and 
substitution rules are included in the appendix). The introduction and elimina- 
tion rules make use of functors, profunctors, and natural transformations. First 
we introduce the additive connectives: the unit category 1 and product cate- 
gory C x D have the usual introduction and elimination rules defining functors 
to/from them. Next, we introduce the graph of a profunctor Xap P. Just as a 
relation R : A x B —> Set can be viewed as a subset {(a,b) € A x B|R(a,b)}, 
any profunctor P : ©? x D, —> Set can be viewed as a category with a functor 
to C_ x D+ (no op), specifically a two-sided discrete fibration. In set-based cat- 
egory theory, the objects of ser P are triples (a_,a;,s: P(a_,a;)) and mor- 
phisms from (a_,a+,s) to (a_,a‘,, s") are pairs of morphisms f_ :a_ — a’ and 
f+ : a4 > a4, such that P(id, f,)(s) = P(f_,id)(s’). With various choices of P, 
this connective can be used to define the arrow category, slice category, comma 
category and category of elements. In our syntax we define it as the universal 
category C equipped with functors to C_ and C, and a natural transformation 
to P. 

Lastly, we define the negative and positive presheaf categories P~C and 
PTD. These are given a syntax suggestive of the fact that they generalize the 
notion of a powerset, and so can be thought of as “power categories”. Note that 
we include a restriction that the input category is small, which is an inductively 
defined by saying all base categories are small, the unit is small, product of small 
categories is small and the graph of a profunctor over small categories is small. 
Notably, the presheaf categories themselves are not small. The negative presheaf 
category is defined by its universal property that a functor into it D => P~C 
is equivalent to a profunctor C° x D —> Set. The introduction rule constructs 
an object of the negative presheaf category from such a profunctor and the 
elimination rule inverts it. We use the notation p € a for the elements of the 
induced profunctor. Since a occurs in a negative position, it must depend only 
on the contravariant variable d~ = and vice-versa for p. The positive presheaf 
category is then the dual. In ordinary set-theoretic category theory the negative 
presheaf category is the usual presheaf category Set”, and the positive presheaf 
category is the opposite of the dual presheaf category (Set? )?. 


2.2 Set Connectives 


Next, in Figure 4, we cover the connectives for the sets/profunctors, which clas- 
sify elements/natural transformations (the 3/7-rules are in the appendix). First, 
the unit set a—c b is our syntax for the profunctor of morphisms in C instan- 
tiated at generalized objects a and b. Its introduction and elimination rules are 
analogous to the usual rules for equality in intensional Martin-Lof type theory. 
The introduction rule is the identity morphism (reflexivity) and the elimination 
rule is an induction principle: we can use a term of s : a—>c b by specifying 
the behavior when s is of the form id, in the form of a continuation a.t. Like 
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Unit: 


[1 Cat Tjeri 


CEC, Cat Cg Cat Fla:Cray: Cy Dla:Ckag:Cg Fla:Cra:C, x C2 
EPEC, x C2 Cat DT |a:Ct arna): C1 x Ce Fla: Crna: Ce 


Product: 


Graph of a profunctor: 


Fla:C;8:DtPSet Cla:Cra_:C_ T |ert F api Tla:Cts: Pla_/a;a4/B] 
D+ JP Cat T |æ: OH (a_,ay4,8): 5 P 
a;ß aC _ ;38:C4 
Fla:Cta: > P F(t Fri E, PF Dla:Cha: > P 
oa:C_;p a; BCL a;ß 
Fla:Crraa: CH T [arC F iper Cy T |a: O Hrea : Pir=a/x;n4a/p] 


Negative Presheaf: 
Pt C Cat C Small "jd Sta:C€ Cildtetp:P Cc Fla:C;8:DtR: Set 
CEP C Cat T| 2b ae p Set r\|B:DtrAa:C.R:P C 


Positive Presehaf: 
PeDCat DSmall P|d~Stp:PtD Pildt=+a:D TPla:€;8:DER: Set 
T PHD Cat P| St pda Set Pila:CHAB:D.R: PTD 


Fig. 3. Category Conectives 


the J elimination rule for equality in Martin-Lof type theory, P must be “fully 
general”, i.e. well-typed for variables a and 8. This is because for distinct vari- 
ables a and 8, a —>c p denotes the unit in a virtual double category, which has a 
universal property, but a —>c b denotes a restriction of the unit, which in general 
does not. Those familiar with linear logic as in e.g. [41] might expect a more 
general rule, where the continuation t is allowed to use variables that are not 
used in s, i.e., have a context 2 Y , and the conclusion of the rule to have a 
context &; Y P Y &,.. Because of dependency, this is not necessarily well-formed 
in cases where the endpoints a and b of ab are not distinct variables. How- 
ever, the instances of this more general rule that do type check are derivable 
from our more restricted rule using right /left-hom types. 

The tensor product of sets is a kind of combined existential quantifier and 


monoidal product, which we combine into a single notation POQ, where 8 
is the covariant variable of P and the contravariant variable of Q. Then the 
covariant variable of the tensor product is the covariant variable of Q and the 
contravariant variable similarly comes from P. In ordinary category theory, this 
is the composition of profunctors, and is defined by a coend of a product. We 
require that the variable 8 quantifies over a small category D, as in general this 
composite doesn’t exist for large categories. The introduction and elimination are 
like those for a combined tensor product and existential type: the introduction 
rule is a pair of terms, with an appropriate instantiation of 3, and the elimination 
rule says to use a term of a tensor product, it is sufficient to specify the behavior 
on two elements typed with an arbitrary middle object 2. 
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Next, we introduce the contravariant (P ¥°< R) and covariant (RoY® P) homs 
of sets, which are different from each other because we are in an ordered logic. 
These are a kind of universally quantified function type, where the universally 
quantified variable must occur with the same variance in domain and codomain. 
In the contravariant case, it occurs as the contravariant variable in both, and 
vice-versa for the covariant case. To highlight this, the notation for the con- 
travariant dependence puts the quantified variable on the left of the triangle, as 
contravariant variables occur to the left of the covariant variable, and similarly 
the covariant hom has the quantified variable on the right. Similar to ordered 
lambda calculus, the covariant hom is right-associative while the contravariant 
hom is left-associative. Then the covariant variable of the contravariant hom set 
is the covariant variable of the codomain and, and the contravariant variable of 
the hom set is the covariant variable of the domain, as the two contravariances 
cancel. The covariant hom is dual. Semantically, in ordinary category theory 
these are known as the hom of profunctors and are adjoint to the composition of 
profunctors [7]. The two connectives have similar introduction and elimination 
rules in the form of À terms abstracting over both the object of the category 
and the element of the set, and appropriate application forms. To keep with our 
invariant that the variable occurrences occur left to right in the term syntax in 
a manner matching the context, we write the covariant application in the usual 
order s> t where the function is on the left and the argument is on the right, 
and the contravariant application in the flipped order. We also write the instan- 
tiating object as a superscript to de-emphasize it, as in practice it can often be 
inferred. 

Finally, we have the cartesian unit and product sets, which are analogous to 
the normal unit and product of types. The most notable point to emphasize is 
that in the formation rule for the product, the two subformulae should have the 
same covariant and contravariant dependence (as with linear logic, some con- 
structions can syntactically use a variable more than once and still be “linear” ). 


2.3 Type Connectives 


é 


Finally, we briefly describe the connectives for the “meta-logic”, which extends 
Martin-Lof type theory with MH/X and extensional identity types (with their 
standard rules) (Fig. 5). We use extensional identity types so that the descrip- 
tion of models is simpler, but intensional identity types could be used instead. 
The types we include are universes for the object categorical logic: types of 
small categories and locally small categories, functors, profunctors and natural 
transformations. The rule for the types of small categories and (large) categories 
are very similar: any definable category defines an element of type Cat, and any 
element of that type can be reflected back into a category. The only difference 
for SmallCat is that the categories involved additionally satisfy C Small. Again 
we elide the 67 principles, which state that [—] and |—] are mutually inverse. 
Since every small category C Small is a category O Cat, there is a definable 
inclusion function from SmallCat to Cat and the 67 properties ensure that this 
is a monomorphism. 


A Formal Logic for Formal Category Theory 123 


Unit/morphism set: 
Tla:C;8: CrP Set 
T| Stay:C€ DCla:Crt: Pla/a;a/p] 
P\dtZtag:€ r|g:DEa:@ P| Gts:asqb 
T| Sb ajy>qag Set |B: Dtidg:argqa T |F ind_,(a.t, A,s, B) : Pla/a;b/f] 


Tensor product: 


D Small Pidtw.+b:D 
=a r| LP 2 Dyys P tik 
Dr |d~5;6:Dt P Set T| Vst s: Plb/p] i exe reas ý 
r| 8:D;dtE FQ Set r |F tF tge C|®@ynts:P © Q 
36:D 36:D P| eyo S, + indg(a, B, y-t;s):R 
PI|ZSEP © QSet L|WsY%H(s,b,t):P © Q | P1 Y Pm Y Pr F inde (a, £, y-t; s) 
dt = Small PO, Hs: RVV p 
T |d}Z;a: CER Set dté,ba:C 
r|d S;a:CtP Set P| o,e7 Roa: ChbtsP Ba F t: R|a/a] 
Right hom: JaC VaiG a 
P| EZERDY™S P Set P| SEA (a@: Ria: C).t: RWC P P| Sp Y Fat spt: Pla/a] 
d ZÆ Small Fld Paa: 
T|aœa:C;d ZFR Set I | a F s: R{a/a] 
T |a: C;dtE F P Set Pla:C,2:R,6+t:P D\| prt: PYVCaR 
Left hom: Tard 4 Tare i 
Cl) SEPY*CaR Set T|8HA (a: C, s: R)t:PYYOaR T |Ba Y Pph sat: Pja/a] 


Cartesian unit and products: 
r|2t1Set Fjör 04l 
T| EZF R Set 
T| EFS Set Vie {1,2}. T |F s;:R T|8Fs:RıXx Ro 


TrT|ÆZFRXS Set T |F (s1,82): Ri x Re Tr|2rF mrs: Ri; 


Fig. 4. Set Connectives 


Next, we have the types of all functors and profunctors between any two 
fixed categories. The introduction and elimination forms are those for unary and 
binary function types respectively, where metalanguage terms of type Fun C D 
can be used to construct an object/functor, while metalanguage terms of type 
Prof C D can be used to construct a set/profunctor. 

Finally we include a type Va : C.P which we call the set of “natural ele- 
ments” of P. The name comes from the case that P is of the form F(a) > G(a) 
in which case the type Va : C.F (a)— G(a) can be interpreted as the set of 
all natural transformations from F to G. More generally this is modeled as an 
end, and we notate it with a universal quantifier (just as we do for the quanti- 
fiers in left/right hom types). Syntactically, Va.P is a meta-language type that 
represents elements/natural transformations with exactly one free variable. 


3 Formal Category Theory in VETT 


To demonstrate what formal category theory in VETT looks like, we demon- 
strate some basic definitions and theorems. While it is well known that much 
category theory can be formalized in virtual equipments, we show these exam- 
ples to demonstrate how the VETT syntax gives a more familiar syntax to these 
constructions, while still avoiding the need for explicit naturality and functorial- 
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[tC Small T- M: SmallCat CEC Cat CLM: Cat 
Ct SmallCat It [C] : SmallCat It |M] Small Tr- Cat FRC): Cat Ft |M] Cat 
Pt C Cat [+ D Cat Pila:CrFA:D Pla:CrFA:D tM: FunDE 
[+ Fun ČD Type PF Aa: C.A:FunCD Cla:ChMA:E 


[Ct M: ProfCD 

Pld S+A:C 

CEC Cat I'D Cat PFla:C;8:DER Set P\dtS+B:c 
I+ ProfCD Type PrAa:C;8:D.R:ProfCD I |5+ MAB Set 


r|a:CF P Set Fila:Crt:P TCRM:Va.P P\|B:Dra:€ 
PrVa:C.P Type Ib dXa.t:Va.P | B:DEM*: Pla/al 


Fig. 5. Type Connectives 


ity side conditions. We have mechanized some of the results in this section (e.g. 
Lemma 2 and Lemma 3 and the maps in Lemma 4) in Agda.’ 

First, we using the elimination for the unit set, we can see that all construc- 
tions are (pro-)functorial: 


Construction 1 For any small category C, we can construct natural elements 


1. Identity: Va: C.a >c a 

2. Composition: Va, : C.(a, >c a2) >22 T (ag >o az) PY?" (ay >c 3) 

3. Functoriality: for any F : FunC D, Va, : C.(ay >c ag) PY?" (F (a1) > 
F(ag)). 

4. Profunctoriality: for any R: ProfCD if D is small then 
Vay H C.(aı = 0 ag) >22: Raz Bo pv ba: > (Bo =D Bi) pvPi: 2 Ray, 


Z 


Identity and Composition generalize the reflexivity and transitivity properties of 
equality, respectively, with the lack of symmetry being a key feature of the gener- 
alization. In addition, we can prove that the (pro)-functoriality axioms commute 
with the composition proof by the 7 principle for the unit. (Pro-)Functoriality 
generalizes the statement that all functions and relations respect equality. Nat- 
urality is more complex to state, and it is a statement about the proofs so it has 
no analog in ordinary higher-order logic. The following version is stated for any 
profunctor, with the usual case of naturality arising when Raf = Fa —>e GB. 


Lemma 1 (Naturality). For any t : Va: C.R(a;a), by composing with pro- 
functoriality, we can construct terms a, : ©, f : a1 >c a2,Qa2 : C F lcomp( f, t%?) 
and rcomp(t™, f) : R(&1; az) that are both equal to ind_,(f,t). 


Next, we turn to some of the central theorems of category theory, the Yoneda 
and Co- Yoneda lemmas. Despite being ultimately quite elementary, these are no- 
toriously abstract. In VETT, we view these as ordered generalizations of some 
very simple tautologies about equality. For instance, the Yoneda lemma gener- 
alizes the equivalence between the formulae Vy.« = y > Py and Pz for any z. 


3 nttps://github.com/maxsnew/virtual-equipments/blob/master/agda/ 
Examples.agda 
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Lemma 2. Let a:C€ anda: PTC. Then 


1. (Yoneda) The profunctor (a >c a’) >Y% (m 3 a’) is isomorphic to t > a 
3 1 
2. (Co-Yoneda) The profunctor (x > a’) © (a! > a) is isomorphic to 7 >a 


The proofs both follow from the unit elimination rule, which is essentially the 
Yoneda lemma—the two cases of showing (1) is an isomorphism are precisely 
the 8 and 7 rules for the unit. 

Next, we have the “Fubini” theorems, which relate the tensor and hom types. 
The statement and proofs for these theorems are analogous to proofs relating 
tensor and hom in ordered logic. For instance, the second isomorphism below is 
analogous to the equivalence (P © Q) — R S P — Q — R in ordered logic. 


Lemma 3 (Fubini). The following isomorphisms hold when the corresponding 
profunctors are well typed. 


i Pla: 8) 3(Q(8:9) 3 Reo 8)) = (P(a; B) © Q(B:7)) O R(7; 8) 
2. (PEB) E QU: 9%" aia) = POB) Q: Saia) 


5; S(r; 8) “(P(7; B) © Q(B: a)) S S(7; 8) P(7; 6) <Q(8;a) 
4. Q: NDS (B: 7) Pa P(B; a)) = (Q0; 7) S(8; 7)) 4 P(B; a) 
5. Va.P(a; b)? Qla; B) = VB.Q(a; B BY Pla: b) 


Proof. We show one case as an example, the forward direction of (1) is given by 
àa. A? (x, 6).inds (p, B, y-indo (q, V, r-((p, 8,4), 7,7); y); £) 


Next, we can prove that two definitions of an adjunction are equivalent: 


Lemma 4. For R: FunDC and L: FunCD, the following are in bijection: 


1. An isomorphism of profunctors (La >p £) = (a >c RB) 
2. A unit n :Va.a>e R(La) and co-unit £ : VB.L(R(8)) >p L satisfying tri- 
angle identities. 


Proof. Given the forward homomorphism lr, we can construct n = àa.lr® >’ ida. 
Given the unit we can reconstruct the forward homomorphism using comp (com- 
position) and fctor (functoriality) from Construction 1 as 

comp® PRL) ya RP (fetor(R)#® pF f). 


We can define weighted limits, which as special cases include ordinary limits 
and Kan extensions. 


Definition 1. For a functor D : Fun J C and a profunctor W : ProfK J, the 
limit of D weighted by W is (if it exists) a functor lim” D : FunK © with an 
isomorphism a >c (lim D)k = Wkj òi (ac Dj) 

This generalizes the usual definition that a morphism into a limit is a cone over 


the diagram (a@—¢ Dj) to be parameterized by a weight Wkj. Then we can 
prove the well-known theorem that right adjoints preserve (weighted) limits: 
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Theorem 1. If lim” D exists and is a limit and R : FunC C’ has a left adjoint 
L, then \«.R((lim™ D )k) is the limit of \j.R(Dj) weighted by W. 


Proof. 
y> R((lim™” D)«) & Ly > (lim” D)k & WkjoYd Ly > Dj © Wkjo”? y—> R(Dj) 


This is a high level proof in terms of isomorphisms that may be written in 
VETT. The first two steps are the instantiation of assumptions (adjointness, 
weighted limits). The last step uses the fact that a natural isomorphisms lift to 
natural isomorphism of homs of profunctors. The construction of this isomor- 
phism illustrates how naturality need not be proved explicitly in VETT. For 
any @: Ya.R'aß >Y? Raß and Y : Yy.Sy8 >Ê S’yB we can construct a natural 
transformation ġo w : Vy.(RaBe’? Syp) PY R'a ev’? S'78 as 

AY- (f, a). à (r, B).W7 PF (f oP (6% pF r)). Furthermore if ¢ and w have inverses, 
then œt > yw! is the inverse of > 4. 


4 Semantics 


Next, we develop the basics of the model theory for VETT. First, we define 
a sound and complete notion of categorical model based on hyperdoctrines of 
virtual equipments. Then we instantiate this general notion of model to show that 
the VETT can be interpreted in ordinary category theory as well as enriched, 
internal and indexed notions. 

First, we can model the judgmental structure of the unary type theory and 
predicate logic in virtual double categories that are split fibrant and have a notion 
of small object [32,17]. We briefly recount the structure present in a virtual 
double category, but see [17] for a precise definition of the composition rules for 
2-cells and functor of virtual double categories. 


Definition 2. A virtual double category V consists of 


1. A category Vo of “objects and vertical arrows” 

2. A set Vn of “horizontal arrows” with source and target functions s,t : Vn > 
Vo? 

3. Sets of 2-cells of the following form, with appropriate “multi-categorical” 
notions of identity and composition: 


Cy E A 
‘| (0) p 
Dy ——4——> D 


We say that the 2-cell @ has S as codomain, the sequence Ro... Rn as domain 
and call f and g the left and right “frames”, or that ġ is framed by f and g. 
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We say a virtual double category is split fibrant when it has a choice of re- 
strictions, that is, for any horizontal arrow R : C + D and vertical arrows 
f: >C andg: D' > D there is a chosen horizontal arrow R(f,g) : © =» D' 
with a cartesian 2-cell to R framed by f,g and these chosen cartesian lifts are 
functorial in f,g ([46]). A choice of small objects is a subset of the objects 
V; C Vo. A morphism of split fibrant virtual double categories with small ob- 
jects is a functor of the virtual double categories that additionally preserves the 
restrictions and smallness of objects. This defines a category fVDCs. 


In the presence of restrictions, every 2-cell can be represented as a “globular” 
2-cell where the left and right frame are identities [46]. For example the 2-cell 
@ above can be represented as one with the same domain but whose codomain 
is S(f,g). This property is crucial for the completeness of our semantics as we 
only include a syntax for these globular terms (proof of Construction 2). Each 
component of this definition has a direct correspondence to a syntactic structure 
in VETT. The objects of Ve models the category judgment and the morphisms 
model the functor judgment. The set V, models the profunctor judgment. A 
composable string Ro--- Rn models the profunctor contexts. The 2-cells corre- 
spond to the natural transformation judgment where we have taken the restric- 
tion S(F,G) of the codomain. Note that Cruttwell and Shulman define a virtual 
equipment to be a virtual double category with all restrictions and all units. The 
units are the model of the unit of profunctors connective and so all of our models 
with the unit will be virtual equipments, hence the name VETT. 

To model the dependent type theory and indexing of category-theoretic judg- 
ments by a I” with an action of substitution, we use a variation on Lawvere’s 
notion of hyperdoctrine for modeling predicate logic[31]*: 


Definition 3 (VETT Judgmental model). A VETT judgmental model (VM; ) 
is a pair of a category with families C and a functor VO? : C° + fVDCs. 


Categories with families C model dependent type theory [22] and for each se- 
mantic context I, V? models the VETT judgments in context I, with the 
functoriality modeling the fact that all of these judgments admit a well-behaved 
action of substitution. A VM, is then precisely the structure corresponding to 
the judgments and actions of substitution in VETT. 


Construction 2 (Syntactic Model) The syntax of VETT with with any sub- 
set of connectives are included presents a VM. 


Proof. Define the category of families using the dependent type structure and 
the virtual equipment structure having (a-equivalence classes of) syntactic cat- 
egories as objects, functors/sets as vertical/horizontal arrows and interpreting 
compositions/restrictions as substitutions. The biggest gap between syntax and 
semantics is in the definition of the 2-cells. A 2-cell from 

(ay : Cija : Co F R1), (a2 : C2;@3 : C3 Ro),... to (6, : D1; 8. : Da F S) 


* note that unlike in hyperdoctrines, we do not require quantifiers adjoint to substi- 
tution 
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with frames a; : Cı F bı : Dı anda, : Cn F b2 : Do is given by a term 
zı : Ry, x2 : R2... F s: S[b1/81; b2/ G2]. Composition is defined by substitution. 


Then the connectives of VETT each precisely correspond to a universal con- 
struction in a VM ;. The J, X, Id types correspond to their standard semantics 
in a CwF and the connectives for categories and profunctors correspond to uni- 
versal constructions in the virtual double categories. Products of categories are 
interpreted as products in the vertical category, and products of sets as products 
in the category of pro-arrows and 2-cells. The units, tensor and covariant and 
contravariant homs are modeled by the universal properties of the same names, 
as described in [46]. The graph of a profunctor is modeled by tabulators [25]. 
Finally, the covariant and contravariant presheaf categories can be described as 
a weakening of the definition of a Yoneda equipment from [19] to virtual double 
categories. More detailed descriptions of these universal properties are included 
in the extended version [37]. Then the soundness and completeness of this notion 
of categorical model is formalized by the following initiality theorem. 


Theorem 2 (Initiality). The syntax of VETT with any subset of connectives 
that includes the hom types presents a VM; that is initial in the category of VM z 
with the chosen instances of the universal properties and functors that preserve 
such chosen instances. 


Proof. The construction 2 can be extended for any connective modularly, with 
the exception that the unit relies on the presence of hom sets in order to satisfy 
the “distributivity” requirement that its elimination can occur in any context. 
Then we can construct the unique morphism to any HVE induction on syntax. 


Now that we have a category-theoretic notion of model, we give some model 
construction theorems that can be used to justify our intuitive notion of seman- 
tics in (enriched, internal, indexed) category theory. First, we can extend any 
set-theoretic model of the category theoretic judgments to a hyperdoctrine of 
models where the category of families is the category of sets: 


Construction 3 Given a V € fVDCs, we can construct a VM; V` : Set > 
vDbl, by defining of (V"). to be functions VÈ, and similarly for morphisms and 
2-cells with all operations given pointwise. 


Then to define a model of VETT with a collection of connectives it is sufficient 
to construct a virtual equipment with the corresponding universal properties. 
The “standard model” is the virtual double category of locally small categories 
where the small objects are the small categories. 


Construction 4 Fix a cardinal k. The virtual double category Cat, is defined 
to have as objects locally K-small categories, small objects as K-small categories, 
vertical morphisms as functors, horizontal arrows as functors C° x D > KSet 
and 2-cells as morphisms of profunctors. Restriction of profunctors is given by 
composition, which is strictly associative and unital. Caty has objects satisfying 
the universal properties of all connectives in VETT. 
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More generally, categories internal to, enriched in and/or indexed by suffi- 
ciently nice categories define a virtual equipment that model the connectives 
of VETT. We highlight one example from the literature that is highly general: 
Shulman’s enriched indexed categories [47]. Shulman’s construction defines a 
virtual double category of large and small V-categories for any pseudofunctor 
VY : S — MonCat where S is a category with finite products. He gives ex- 
amples that show that this subsumes ordinary internal, enriched and indexed 
categories for suitable choices of V, as well as more general categories that can 
be thought of as both indexed and enriched. This is slightly weaker then what we 
require: to have split restrictions, we need that V be a strict functor, not merely 
a pseudo-functor. This is analogous to the situation for dependent type theory, 
where syntactic substitution is strictly associative, but semantic substitution is 
typically given by pullback, which is only associative up to unique isomorphism. 
Shulman’s construction carries over when the functor is strict but some of their 
example instances would require a strictification theorem. 


Construction 5 (Shulman [47]) Given any functor V : S° — SymMonCat 
such that S and V have sufficiently well-behaved (indexed) x-products, then there 
is a virtual equipment V — Cat whose objects are locally «-small V-categories, 
small objects are K-small V-categories etc. This virtual equipment has objects 
satisfying all of the universal properties needed for a model of VETT. 


A final model that uses a CwF that is not Set would be given by taking 
extensional dependent type theory as the CwF and interpreting the category- 
theoretic constructions by their definitions inside type theory. 


5 Related and Future Work 


We now compare VETT with other calculi for formal category theory. 

Cáccamo and Winskel [12] develop a formal language for defining categories, 
functors (of many variables) and proving existence of natural equivalences be- 
tween them. Their system can encode profunctors as functors into Set. Their 
natural equivalence judgment does not have proof terms or equality between 
equivalences and they do not support natural transformations. Additionally, 
they only consider ordinary categories as the intended model and do not de- 
velop a more general semantics. Riehl and Verity [43] use a formal language 
of virtual equipments to prove results valid for oo-categories without concrete 
manipulation of model categories. They formalize this language as a theory in 
Makkai’s framework of first-order logic with dependent sorts (FOLDS). While 
this previous work has the same models as VETT, we believe that the syntax 
we propose in this paper formalizes informal arguments more directly, as shown 
in Section 3. This is because FOLDS approach approach is entirely relational, 
whereas we formalize concepts like restriction of a profunctor or composition of 
natural transformations as functional operations (substitution). In particular, 
this means that our calculus requires only vertically degenerate squares (ele- 
ments/natural transformations) as a “user-facing” notion, with general squares 
occurring only in the admissible substitution operations. 
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The coend calculus [33] is an informal syntax for manipulating profunctors 
involving ends and coends; an extension of VETT to treat profunctors of many 
variables of different variances may provide a formal treatment of it. 

Myers [35] provides a string diagram calculus for double categories and pro- 
arrow equipments, generalizing string diagrams for monoidal categories. These 
are an alternative approach to type-theoretic calculi, with the string diagrams 
typically making tensor products simpler to work with, while a type-theoretic 
calculus like VETT makes the closed structure P >Y% Q simpler to work with by 
using bound variables. 

Cartesian bicategories are similar to equipments but they axiomatize the 
bicategory of profunctors rather than the full double category of functors and 
profunctors [13]. Frey [23] describes preliminary work on a proof system for 
Cartesian bicateogires. Their profunctors are more general than in VETT in as 
they may have 0, 1 or more covariant or contravariant variables. But they do 
not have a term syntax for functors or natural transformations. 

Our work in this paper fits broadly into a line of work on directed dependent 
type theories, a type theory where the identity type is interpreted as morphisms 
in a (possibly co-)category. In directed type theories based on a bisimplicial 
model [42,11,55,54], morphism types are defined using an interval object, like 
in cubical type theory [8,16,4,3], and universal properties like “morphism in- 
duction” are an internally definable property of certain types. Other type the- 
ories [38,1] define morphism types via an induction principle, corresponding to 
the lifting properties of certain kinds of fibrations of categories. While these pre- 
vious works can express some constructions on Cat that are not expressible in 
VETT, because VETT is more restricted, VETT contrariwise has more mod- 
els, for instance categories enriched in non-cartesian monoidal categories, so the 
theorems that are provable in VETT apply in more settings. 

Finally, some variations on double categories have been used to model the 
structure of certain program logics. GTT [36] is a logic for vertically thin pro- 
arrow equipments, where there is at most one vertical arrow or 2-cell of any tyepe, 
so their calculus does not include functor or transformation judgments. Another 
similar calculus is System P [21] which is an internal language of reflexive graph 
categories, which are like double categories without horizontal composition. 

In future work, VETT could incorporate functor categories by generalizing 
the unary type theory of functors to functors of many variables, in which case 
ordinary A calculus can be used to define functor categories as function types, 
and incorporate multi-variable profunctors as in [23]. This would require to the 
models to have a monoidal structure. Ideas from coeffects and enriched category 
theory may be useful for defining opposite categories [48,10]. 
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Abstract. We propose a superposition-based proof procedure to reason 
on equational first order formulas defined over graphs. First, we introduce 
the considered graphs that are directed labeled graphs with lists of roots 
standing for pins or interfaces for replacements. Then the syntax and 
semantics of the considered logic are defined. The formulas at hand are 
clause sets built on equations and disequations on graphs. Afterwards, a 
sound and complete proof procedure is provided, and redundancy criteria 
are introduced to dismiss useless clauses and improve the efficiency of 
the procedure. In a first step, a set of inferences rules is provided in the 
case of uninterpreted labels. In a second step, the proposed rules are 
lifted to take into account labels defined as terms interpreted in some 
arbitrary theory. Particular formulas of interest are Horn clauses, for 
which stronger redundancy criteria can be devised. Essential differences 
with the usual term superposition calculus are emphasized. 


1 Introduction 


Graphs are ubiquitous structures in computer science. They are used to model 
several notions such as data, program runs (transition systems), networks, soft- 
ware and hardware architectures. They are also often used as foundational struc- 
tures to model knowledge or data bases, cognitive or intelligent systems as well as 
physical, chemical or biological phenomena. They constitute, in addition, the ba- 
sis of operational research or combinatorics. Graphs are, definitely, fundamental 
structures for modelling, computing and reasoning. Graph transformations have 
been studied since the early 70’s [29]. Some of their applications can be found in 
[16,18]. In the literature, one can distinguish two main streams of approaches for 
graph transformation, namely the algebraic approaches [15,12] where category 
theory is used to define structure transformations in a very abstract and elegant 
way and the algorithmic approaches where graph transformations are defined by 
means of the actual algorithms involved in the transformations [20,13]. 

During the last decade, a very interesting application of graph transforma- 
tions has emerged in the area of quantum models of computation, see e.g., the 
calculi ZX [11], ZH [3], ZW [24] or PBS [10]. In these calculi, one can spec- 
ify quantum algorithms using particular graphs and can make some equational 
reasoning on them to verify correctness of quantum algorithms, see e.g. the 
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Quantomatic tool [25]. In such situations, making automated equational reason- 
ing over graphs is very desirable even though equational theories over graphs are 
not recursively enumerable in general (see e.g. [7]). 

The superposition calculus [1] is one of the most successful automated proof 
procedures which handles equational theories (on terms) which is being actually 
implemented in various theorem provers such as Vampire [28], Spass [32], or 
E [30]. The calculus operates on finite sets of equational clauses. It is defined 
as a set of inference rules, which deduce new clauses from previous ones. To 
prune the search space, strong restrictions (based on term orderings and literal 
selection functions) are imposed on the inferences, and redundancy criteria are 
provided to detect and dismiss useless clauses. The rules are applied until a con- 
tradiction (i.e., the empty clause) is derived or until the set is saturated, i.e., 
no further non-redundant clause may be deduced. The calculus is refutationally 
complete, in the sense that it is able to derive a contradiction from any unsatis- 
fiable clause set. In a recent work [14], we proposed a superposition calculus for 
testing the unsatisfiability of sets of equations and disequations between graphs 
whose shapes are inspired by those used in the ZX calculus, where nodes are 
labeled by first-order (uninterpreted) terms. In the present paper we extend this 
work in several directions: (i) We tackle full clauses, i.e., disjunctions of equa- 
tions and disequations. This extension turned out to be much more difficult 
than we initially expected, due to the fact that no reduction order exists on the 
considered graphs (see Examples 19 and 22), which complicates the complete- 
ness proof. We introduce redundancy criteria that cover some usual deletion and 
simplification rules. (ii) We lift the obtained calculus into a constrained calculus 
operating on graphs labeled by terms interpreted in some base theory. The pro- 
cedure is a semi-decision procedure for unsatisfiability if the underlying theory 
is (semi) decidable and compact. (iii) We consider a slightly different class of 
graphs, where multi-edges are allowed. The new framework has the advantage 
of being both more general and simpler, and it also improves the efficiency of 
the calculus (more precisely for the computation of “merges” between graphs, 
see Remark 9). 


Why defining a graph superposition calculus is difficult. We wish to 
emphasize some important differences between term and graph superposition. 
(i) It is well-known that term rewrite systems that are terminating and in which 
all critical pairs are joinable are confluent. This property plays a key role in the 
completeness proof of the superposition calculus. However, such a property does 
not hold for graph rewrite systems, and, worse, confluence is undecidable for 
terminating graph rewrite rules (if confluence is meant modulo isomorphism). 
As it is done in [14] we overcome this issue by considering a special class of 
graphs, for which the above property holds. This class is obtained by restricting 
the way graphs can be composed and replaced, using a sequence of distinguished 
nodes in the graphs, called roots. (ii) The usual superposition calculus is based 
on the use of a reduction order, i.e., a well-founded order on terms that is total 
on ground terms and closed under instantiation and embedding. Unfortunately 


A Strict Constrained Superposition Calculus for Graphs 137 


no such order exists for graphs in general (see Example 19). Thus the model 
construction algorithm used to establish refutational completeness must cope 
with non terminating systems (indeed, since a ground equation g ~ h cannot 
always be oriented, one must consider both rules: g —> h and h — g, which entails 
that the system does not terminate). Confluence is harder to establish for non 
terminating systems and we need to devise a new confluence criterion. (iii) The 
usual redundancy criterion of [1] (where a clause is considered redundant if it is 
implied by smaller clauses) does not apply to graphs. For instance the conclusion 
of an inference may be strictly bigger than all the premises (see Example 21). 
This is due to the fact that two graphs may overlap without one of them being 
included in the other. Such a behavior cannot be avoided, since, as proven in [14, 
Theorem 45], satisfiability is undecidable for sets of ground equational clauses 
defined on graphs (whereas it is well known to be decidable for standard ground 
clauses based on terms), thus superposition cannot terminate on ground graphs. 
Furthermore, we show (see Example 22) that the calculus is — rather surpris- 
ingly — not compatible with tautology deletion in general (tautology deletion is 
possible for Horn clauses). 


Related work. The graphs we are considering are intended to capture (pos- 
sibly cyclic) circuit shaped structures such as those used in the ZX or related 
calculi. They are close to hypergraphs with interfaces as used in some papers 
(see, e.g. [5]) where the roots or interfaces are used in the gluing process while 
transforming a graph. We follow an algorithmic approach when transforming the 
graphs. This approach eases the completeness proofs of the proposed superposi- 
tion calculus. However, the performed graph transformations used in the present 
paper can be encoded as simple double pushout (DPO) [19] steps of the form 
L <— Roots —+ R with some additional constraints on matched subgraphs. It is 
also a particular case of DPOI steps (DPO with interfaces) where the roots play 
the rôle of the interfaces [5]. Automated reasoning in presence of graph structures 
is not an easy task in general. Several authors did tackle this problem and one 
can distinguish different approaches in the literature. Variants of Hoare-like cal- 
culi have been proposed for the verification of graph transformation systems see, 
e.g., [23,26,6,8]. Likewise, model checking procedures have also been devised in 
presence of graph structures see, e.g. [27,31]. In these works, a dynamic logic un- 
derlying program execution is assumed. In addition, a dedicated logic is used to 
express graph properties to be proven. Other techniques have been used to prove 
graph equivalences such as bisimulation [17] or normalization using terminating 
and confuent graph rewriting systems [9]. In the paper at hand, we are rather 
concerned by a refutational proof technique based on superposition dedicated to 
a class of graphs. Thus our proof procedure departs from all the aforementioned 
works. To our knowledge, only the report [22] presents a refutational procedure 
dedicated to ZX diagrams which is close to ours. However, the authors use the 
classical superposition calculus [1] over first-order terms and provide a trans- 
lation from the considered graphs to first-order terms. Such translation needs 
the use of additional axioms encoding some graph properties such as associativ- 
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ity and commutativity of graph constructor operations. Such additional axioms 
are useless in our framework. The class of graph rewriting systems handled in 
our proof procedure are not necessarily terminating and thus we had to devise 
new criteria to ensure their (ground) confluence instead of using joinability of 
pre-critical pairs as done in [4]. 

The paper is organized as follows. Section 2 introduces some basic notations 
and defines the considered graphs and the operations used over them. In Section 3 
the syntax and semantics of the formulas are introduced. In Section 4, a first 
set of inference rules is defined to test the satisfiability of sets of clauses where 
graphs are endowed with uninterpreted labels and its completeness is established 
modulo a redundancy criterion that captures usual deletion or simplification 
rules (such as subsumption). In Section 5 the obtained calculus is lifted to graphs 
labeled with terms that can be interpreted in some arbitrary theory and possibly 
containing variables. Completeness is guaranteed if the theory is semi-decidable 
and compact. This last calculus is proven complete and an enhanced redundancy 
test is proposed. Concluding remarks are given in Section 6. Due to lack of space, 
proofs are omitted. 


2 Graphs and Graph Operations 


We briefly review some usual definitions and notations. For any partial function 
f, we denote by dom(f) the domain of f. If f and g are partial functions, 
we write f(x) = g(x) to state that either x ¢ dom(f) U dom(g) or that x € 
dom(f) NM dom(g) and the images of x by f and g are identical. Given a multiset 
m and an element e, m(e) denotes the multiplicity of e in m. For all multisets mı 
and mz, we denote by mı +m2 and mı — m2 the sum and difference of mı and mg, 
respectively. We write mı C mə to state that mı is included in mg. A multiset 
containing exactly the elements e€),...,¢€n is written {e1,...,€,}. We denote by 
mı Umo the union of m; and mz, (i.e., the minimal multiset containing mı and m2) 
defined as follows: for all elements e, (mı U m2)(e) = max(mı (e), m2(e)). Finite 
sequences may sometimes be identified with sets if the order is not important, 
e.g., if y = (y1,---,Yn), we may write x € y to state that x = yi, for some 
i = 1,...,n. We recall that a preorder is a binary relation that is reflexive and 
transitive. Any preorder < may be associated with a strict order < defined as 
follows: x < y = > (a@<yAy2). 

The graphs we consider are directed, labeled graphs enriched with a sequence 
of distinguished nodes, called roots: 


Definition 1. Let N be a countably infinite set of nodes and let L be a set of 
labels, disjoint from N. An L-graph g is a tuple (N, E, R, L), where: 

— NCN is a finite set of nodes in N, called vertices or nodes; 

— E is a finite multiset of pairs in N x N, called edges; 

— R is a sequence of nodes in N, with no repetition, called the roots of g; 

— L is a function mapping every node in N \ R to a label in £. 
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The components N, E, R and L of a graph g are denoted by Ng, Eg, Rg and 
Lg, respectively. We denote by Ng the set of nodes a € Ng that do not occur in 
Ra. The profile of a graph g, written pr(g), is the length of Rg. 


Example 2. The £-graph g with Ng = {p1,a, b}, E, = {(¢1,), (p1, 8), (a, B)}, 
Ra = (p1), dom(Lg) = {a, 8}, Lala) = 0 and L(G) = 1 is depicted graphically 


as follows: 
We write a : Z to state that a node named a is labeled by 


(P) £. In many cases, the names of the non-root nodes will 
@=@ be irrelevant, and will thus be omitted. When possible, 


root nodes will be named p1, p2, p3, ..in this order. 


In the following, £-graphs will be considered up to a renaming of nodes. More 
precisely, the isomorphism relation on £-graphs is defined as follows. 


Definition 3. An N-renaming p is an injective mapping from N to N. It is 
extended to any £L-graph g by replacing every occurrence of a node a by (a). In 
particular, the function L qg) is defined as follows: Lyg)(a) = £ iff Lg(8) = £ 
for some B € Ng such that (6) = a (Ly) is well-defined since u is injective). 
We write g =b if h = u(g), for some N-renaming u. It is easy to check that = 
is an equivalence relation. Two £L-graphs g,b such that g = h are isomorphic. 


2.1 Subgraphs and Replacement 


We define the notion of a subgraph. The definition is slightly stronger than the 
usual one in graph theory because it imposes that only nodes that are roots in 
the subgraph can be connected to a node outside the subgraph. These roots can 
be viewed as an “interface” which restricts the way graphs may be connected 
and composed. 


Definition 4 (Subgraph). A graph h is a subgraph of g (written h <9 g) if 
Ny C Ng, Ey E Eg, No C Ng, Lola) = Lg(a) for all a € Ny and if a node a 
occurs in an edge in Ey — Ey then a € Ng. 


Example 5. Consider the £-graphs b, i, j and € with respective roots (a, 8), (8), 
(a) and (p1), defined as follows: 


ZOROBIG) On On@ Po 


The £-graph h is a subgraph of the £-graph g from Example 2, but i, j and 
€ are not. Indeed, a has different labels in g and i; g contains an edge between 
pı and 8 that does not occur in j and ĝ is not a root node in j; and Ey — Fe 
contains the edge (a, 3) between nodes that are not roots in ¢£. 


The replacement operation is defined in a natural way: all vertices and edges 
occurring from the replaced subgraph are deleted and replaced by those in the 
replacing graph (we assume that the considered graphs share the same roots). 
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Definition 6 (Subgraph replacement). Let g be an L-graph and let h be a 
subgraph of g. An £L-graph i is substitutable for b in g if Ri = Ry and NWN, =f). 
Ifi is substitutable for h in g, then we denote by g{h + i} (the L-graph obtained 
by replacing b by i in g) the tuple (N’, E’, R', L’), where: 

— N' = (Ng\Ny)UM. Note that since Ri = Ry we have N' = (Ny \ Np) UN,. 

— E' 2 (Ej — Ey) + Ei. 

- R ËR 


as | Lala) ifa c N, \ fi 
— L(a): 9 ao lac N'\R. 
(a) o jash for all a € N'\ 


Example 7. Let i’ be the £-graph with root (a, 8) defined below. Using the £- 
graphs g and þh from Examples 2 and 5, we get the following £-graph g{h = i’} 
(the edge (a, 8) occurs twice because it occurs both in Ey and in Eg — Ep): 


v= ~ g{b Hi} = Ha 
on, 
Cs) 


The notation g{h < i} is extended to the case where pr(i) = pr(h) as 
follows: g{h + i} = g{h + i}, where i! is any £L-graph substitutable for b in g 
such that i = i’. Thus the replacement operation possibly involves a renaming 
step, to avoid conflicts on the names of the nodes. The next proposition states 
a straightforward property of subgraph replacement: 


Proposition 8. Let g,6,i,j be L-graphs, where i <9 h <9 g and pr(i) = pr(j). 
Then g{h — b{i = j}} = g{i = j}. 


Remark 9. Note that Proposition 8 would not hold if edges were defined as sets 
and not as multisets. For instance, consider £-graphs g,h with two root nodes 
Pı, P2, Where g contains an edge (p1, p2) and h contains no edges. If edges are 
taken as sets then we get g{h + g} = g and g{g + b} = b, whereas g{h + 
b} = g. In our previous work [14], this problem was overcome by restricting 
ourselves to induced subgraphs (which prevents the replacement of h by g in g), 
but this causes a combinatorial explosion in the definition of the calculus: when 
one “merges” two subgraphs, it is necessary to add every possible combination of 
edges connecting a root of the first £-graph to a root of the second one, yielding 
exponentially many solutions w.r.t. the number of roots (see [14, Definition 30]). 
Such a behavior is avoided in the new framework. 


We now introduce a notion of orthogonality between graphs. The intuition is 
that two £-graphs will be considered orthogonal if they share no edges and no 
nodes other than roots. 
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Definition 10 (Orthogonal graphs). Let g be an L-graph. Two subgraphs 
h andi of g are orthogonal in g, or simply orthogonal, if Ne Ni = 0 and 
Eb, +H E Eg: 


Note that § and i may share root nodes. Proposition 11 states that the result of 
the replacement of two orthogonal subgraphs does not depend on the order in 
which the £-graphs are considered. 


Proposition 11. Let g be an L-graph, and let hi, ho be orthogonal subgraphs 
of g. For all L-graphs i1,i2 of respective profiles pr(b1) and pr(h2), be and bı 
are subgraphs of g{61 <i1} and g{h2 < i2}, respectively, and g{b1 + ii Hb2 + 
i2} = g{b2 + io} {hi 4 i1}. 


2.2 Graph Merging 


Intuitively, a merge of two £-graphs gı and gə denotes any minimal L-graph 
containing all vertices, labels and edges in gı and gz. More formally: 


Definition 12. A merge of two L-graphs gı and gz is an L-graph h such that: 
(1) : = b, for alli = 1,2; (ii) Ny = Ng 1UNg, Ey = Eg, U Ega and Ny = 
Ng, U Ngo; (iti) for alli = 1,2 and for alla € N, Lola) = L,,(a). 


Note that in contrast to [14, Definition 30], the merge contains no node and 
edge other than those occurring in gı or g2. Moreover, the multiplicity of edges 
is minimal (Ep is defined as Ey, U Ey, instead of Ey, + Ega). It is easy to check 
that a merge of g1, g2 exists iff La, (a) = Lg (@) holds for all a € Nos N Noo 

Moreover, all the merges are equal up to a permutation of their roots. 


Example 13. Consider the following £-graphs g and h below of respective roots 
(p1, p2) and (p2, p3), where the nodes a, 8,y are labeled by 0, 1 and 2, respec- 
tively. These £-graphs admit the following merge i, of root (p1, p2, p3): 


Example 14. Let g, 6, i and j be the OO defined as follows: 
"OQ OQ) 
È 6 © 


The £-graph g has roots ee é ) and §,i,j have roots (a). Then g and h admit 


the following merge, of root ( a GA (a) © G 
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In contrast, g and i admit no merge (since y has different labels in the two 
graphs), and neither do g and j (due to the edge connecting the non-root node 
y to 6, that is outside of g). 


Lemma 15. Let g be an L-graph and let h,i be subgraphs of g. Then h andi 
admit a merge j, and for all merges j of h andi we have j <9 g. 


3 An Equational Logic on Graphs 


We now define equational clauses built on £-graphs and their semantics. 


Definition 16. An equation is an unordered pair written g ~ h, where g,h are 
L-graphs such that Rg = Ry. A literal is either an equation (positive literal) 
or the negation of an equation, written g % h (negative literal). A clause is a 
disjunction of literals. The disjunction may be empty, in which case the clause 
is written O. A clause is Horn if it contains at most one positive literal. A set 
of clauses is Horn if it contains only Horn clauses. 


Note that we assume for technical convenience that the two members of 
an equation share the same roots. N’-renamings ju are extended to equations, 
literals and clauses in a straightforward way: u(g ~ b) a ulg) ~ u(b), ulg % 
b) = ulg) % w(b) and u(C v D) = u(C) V u(D). The relation = is extended 
accordingly. 

Sets of clauses built on £-graphs will be interpreted w.r.t. a congruence on 
£-graphs. Graph congruences are defined in same way as for terms, except that 
we also assume that they are closed under isomorphism. 


Definition 17 (Graph Congruence). A binary relation x on L-graphs is 
closed under isomorphisms if i œx h when g œx h and g =i. It is closed under 
embeddings if h œx i entails g{h < i} mh g. A congruence is an equivalence 
relation on L-graphs that is closed under isomorphisms and embeddings. 


Definition 18. A congruence ~ validates an expression E (written ~ E) iff 
one of the following conditions holds: (i) E is an equation g ~ b and g ~ b; 
(ii) E is a literal g #6 and g % b; (iii) E is a clause C and ~ validates at least 
one literal in C; (iv) E is a set of clauses I and ~ validates all the clauses in 
I’. A congruence ~ is a model of E if ~— E. An expression is satisfiable if it 
admits a model and unsatisfiable otherwise. A tautology is a clause that is true 
in all congruences. 


4 Superposition Calculus with Uninterpreted Labels 


We define a superposition calculus for testing the satisfiability of sets of clauses. 
This calculus is strict (see, e.g., [2]) in the sense that it does not use the equational 
factorization rule (as defined in [1]), but uses instead the standard factorization 
rule that unifies both members of two equations. This choice is motivated by the 
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fact that, as shown in Example 22, graph superposition is not compatible with 
tautology deletion (except when the clauses are Horn). Since tautology deletion 
is disabled for non-Horn clauses, equational factorization is not needed anyway. 
Selection functions are not considered, since they are not compatible with the 
redundancy criterion. 

The usual superposition calculus [1] is parameterized by a reduction order, 
i.e., an order on terms that is well-founded, total on ground terms, and closed 
under substitutions and embeddings. In the case of £-graphs, no such order 
possibly exists, if we also add the natural requirement that the order must be 
closed under renamings, as evidenced by the following example: 


Example 19. Assume that an order < exists, satisfying the following properties: 
< is well-founded, closed under isomorphisms and embeddings, and total up to 
isomorphism (i.e., if g Æ h then either g < h or h < g). Consider the £-graphs g 
and with roots (p1, p2, p3, p4) and containing no labels, as well as the £-graphs 
i,j with an empty sequence of roots, where all nodes are labeled by 0 


80 88 OO OE 


It is clear that g 4 b. Indeed, if (g) = b holds for some M-renaming ju, then 
p(Rg) = Rp, i.e., w((p1, P2, P3, P4)) = a ees which entails that p is the 
identity on these nodes. Thus we cannot have u(E,) = Ep, as the first root 
(pı) is connected to the third root (p3) in g and to the fourth one (p4) in b. 
Consequently, we have either g < h or h < g. Now we also have g <9 i and 
b <9 j, and it is easy to check that i{g + b} =j and j{h + g} =i. Thus we have 
either i <j or j <i. But since Ri = Rj = () we have i = j: indeed, if u(p1) = pi, 
L(p2) = p2, (p3) = pa and u(p4) = p3, then (i) =j. 


We thus slightly relax the requirement of having a reduction order, and con- 
sider instead a pre-order < on £-graphs, that is well-founded, closed under iso- 
morphisms and embeddings, and contains <9. We write g < h if g < h and b < g, 
and we write g ~ h if g < h and h < g. We also assume that the equivalence 
classes of ~ are finite, up to isomorphism. It is clear that such pre-orders exist, 
for instance, the pre-order: g < h <= card(N,) < card(Nj) fulfills the above 
properties. 

Similarly to the usual superposition calculus, we associate every literal L 
with a multiset defined as follows: mset(g % b) = {{g,b}} and mset(g ~ b) = 
{{g}, {b}}. For every clause C = L1 V- - -V Ln, we define: mset(C) @ {mset(L;) | 
i =1,...,n}. Any order or preorder > on £-graphs may then be extended into 
an order on clauses as follows: C> D <=> mset(C) Pm mset(D), where >m 
denotes the multiset extension of > (note that >m is also a (pre)order). A literal 
Lis <-mazimal in a clause C if there is no literal L’ € C such that L’ > L. An £- 
graph g is <-mazimal in a literal L if L contains no £-graph g’ such that g’ > g. 
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A literal L is eligible in a clause C if L is a <-maximal literal in C. Intuitively, 
eligible literals are those that may be considered for performing inferences. For 
instance, given a clause (g ~ h)V (i © j), if (g ~ b) > (i = j), then g ~ b is eligible 
but not i ~ j. Consequently the inference rules (as defined in Section 4.1) will 
be allowed to replace g by h using the equation g ~ h (provided g £ b) but not, 
e.g., i by j (this restricts the number of inferences and prune the search space). 
Non eligible literals are simply attached to the conclusion of the inference but 
they play no active role until they (eventually) become eligible. 


4.1 Inference Rules 


The Superposition calculus SC is defined by the following rules: Spt (positive 
superposition), Sp (negative superposition), R (Reflection) and F (Factoring). 
The rules and their side conditions are very similar to those of the usual (ground) 
superposition calculus, except for the use of the merging operation for positive 
superposition. To simplify notations, the rules are defined modulo isomorphims, 
which means that one has to find a renaming of the premises such that the 
considered rule applies (this can be done using standard algorithms for finding 
graph homomorphisms). For instance, with this convention, the Reflection rule 
R actually removes all equations of the form g # b, with g = b. 


+. gı ~ bi VC gexbeVC, 
` i{g1 — bi} ~ Hg2 — ha} V Ci V Co 


Sp 
where: 


1. i is a merge of gı and g2, and g1, g2 are not orthogonal; 

2. gi © b; is eligible in g; ~ b; V Ci for i = 1,2. 

3. gi £ hj for 27 = 1,2. 
The non-orthogonality condition is the analogous of the non-variable condition 
of the usual calculus, it dismisses trivial replacements. 


gy pe bVe ixjVD 
` i{g eb} #jIVCVD 


where: 

Lgs 

2. g% bh and i %j are eligible in g ~ b V C and i % j V D, respectively. 
3.96 andi <j. 


py et OVaexove 
‘ gxrbhvec 


if g ~ b is eligible in gx hVgxrhvC. 


p: SE OVC if g Æ g is eligible ing #g VC. 


Lemma 20. The rules Spt, Sp, F and R are sound, i.e., for all congruences 


~ and for all clauses C deducible from a set of premises I, we have ~= I. => 
~EC., 
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4.2 Redundancy 


In the usual superposition calculus [1], a clause is redundant if all its ground in- 
stances are entailed by smaller clauses (w.r.t. the considered order). Such clauses 
can be deleted without threatening refutational completeness, which reduces the 
search space. In our context, such a definition cannot be used, because one of 
the inference rules -namely Sp*— may generate clauses that are strictly larger 
than the premises (hence such clauses would be considered as redundant if the 
usual criterion were to be used). 


Example 21. Consider the clauses: g  h and i ~ j, where g,h,i,j are £-graphs 
with root (p1) that are defined as follows: 


OHO §@) © +O) O 
The £-graphs g and i admit the following merge (of root (p1)): 


Therefore, rule Spt applies, yielding g’ ~ g”, where: 


OM) @Q  %@) 


If £-graphs are ordered according to their number of nodes, then we have (g/ ~ 
g”) > (g ~ b) and (g' ~ g”) > (ixj). 


Worse, the calculus is actually incomplete if tautologies are deleted, as shown 
in the following example. 


Example 22. Consider the £-graphs g1, g2 and g3 with roots (p1, p2, p3): 


Let g; denote the graph obtained from g; by adding one additional non root 
node a distinct from pj, p2, p3, with some arbitrary (but fixed) label, e.g., 0. 
Assume that the graphs are ordered by the number of nodes, so that ġ; > gj, 
Gg: = g; and gi ~ gj (for all i,j € {1,2,3}). Let F = {g1 ~ go V go © g3 V 
93 © 91,91 Ž G2 V G2 Ž 93 V G3 # gı}. Intuitively, every equation g; ~ gj 
where (i,j) € {(1,2), (2,3), (3,1)} states that the semantics of the graph is 
preserved when the isolated node is deleted and the graph is rotated by 90 
degrees clockwise, for each possible position of the loop. Since the graphs are 
invariant by rotation, all these transformations are actually equivalent. It is 
easy to check that every clause that can be generated from I" by applying the 
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negative superposition rule from the first clause into the second clause contains 
two complementary literals (i.e. two literals of the form g; ~ gj and g; # gj) 
hence is a tautology. Moreover, the clauses obtained by superposition using the 
first clause only either are subsumed by the first clause (if the superposition 
rule is applied on two different literals) or contains a literal g; ~ gi (hence is a 
tautology). The equational factorization rule (as defined in [1]) does not apply 
since ġ; and g,; are not isomorphic if i 4 j. However, consider the £-graphs gj, gj 
which contain the same nodes and edges as g; and g; respectively, but with roots 
(p2, p3, p1). It is clear that g = gi and g4 = g2, so that gi * go = ġ & gs. 
However, ġ <2 go and go{g5 + g3} = g3, thus g1 & g2 = go ~ g3. By a similar 
reasoning, we may show that go © g3 = g3 © gi and g3 © gı = gi & g2, so that 
the equations 9, © g2, ġ2 © g3, and g3 & gj, are actually pairwise equivalent, 
which entails that I" is unsatisfiable. However, O cannot be derived from I’ if 
the clauses containing complementary literals are discarded. 


Thus, the conditions that ensure that a clause is redundant must be stronger 
than those of the usual superposition calculus. The definition proposed below 
covers usual deletion rules such as subsumption. Actually, two different criteria 
will be used, namely non-strict and strict redundancy, depending on whether the 
considered clauses are Horn or not. Indeed, in the former case a slightly less re- 
strictive definition can be used, which permits the deletion of (some) tautological 
clauses. 


Definition 23. Let C, D be two clauses and let I be a set of clauses. We say that 
C is subsumed by D and write C >°% D if C = DVC", up to associativity and 
commutativity of V and isomorphism. We write C +p D (C demodulates to D 
w.r.t. I) if C is of the form gi hV E (with we {x,%}), D=g{i ci} MOVE, 
and there exists a clause F € I such that F = (i x j) V F’, with F! <°% E, 
i>j, F < (ixj) and (i œj) < (g& b). 

The set of clauses that are redundant w.r.t. a set of clauses I’ is defined 
inductively as follows. A clause C is redundant w.r.t. I’ iff one of the following 
conditions holds: (1) C contains two literals gı © g2 and gi % gh, with gi = g; for 
i=1,2; (2) C contains a literal of the form g ~ h with g = b; (3) C >°% D, for 
some DET; (4) Cp D and D is redundant. The set of strictly redundant 
ground clauses is defined in a similar way, except that Item 1 is removed. 


Intuitively, the conditions ensuring that C demodulates to D in Definition 23 
are meant to ensure that D may be deduced from C by applying the rule Sp* or 
Sp” using the clause F (with D < C and F < C) and that {D}UT is equivalent 
to {C}UT. In particular, the condition F’ <*”“ E ensures that all the literals 
added by the inference already occur in C. 


Definition 24. A set of clauses I’ is saturated (resp. strictly saturated) if every 
clause that can be deduced from premises in I using one of the rules of SC (in 
one step) is redundant (resp. strictly redundant) w.r.t. T. 


We prove that SC is refutationally complete. We actually establish two com- 
pleteness results, the first one for general clauses and the second one for Horn 
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clauses. The latter is stronger since it uses the weaker non-strict saturatedness 
criterion instead of strict saturatedness. 


Theorem 25. Let I be a set of clauses. If O ¢I and TI is strictly saturated or 
both Horn and saturated then I is satisfiable. 


5 A Constrained Graph Superposition Calculus 


We now lift the calculus SC defined in Section 4 into a constrained calculus. 
The goal is to handle graphs labeled by terms interpreted in some arbitrary the- 
ory, and possibly containing variables. To this aim, we attach constraints to the 
clauses, which are formulas interpreted in the considered theory, asserting condi- 
tions on the labels. Such constraints will be updated when inference rules will be 
applied, by asserting the conditions that are required by the rule applications. 


5.1 Constrained Clauses 


Let V be a countably infinite set of variables and let X be a set of function 
symbols. Each symbol f in X is associated with a unique arity ##(f). We denote 
by T the set of terms built inductively as usual on VY and X, and by C the set 
of first-order formulas, called constraints, built inductively as usual on atoms of 
the form t = s, where t,s € T using the logical connectives V, ^A, =, >, 4%, the 
quantifiers 4,V and two logical constants L and T. 

A substitution o is a function mapping all variables x to a term xo. The 
domain dom(c) of ø is the set of variables x such that ao # x. For every term 
or formula e, we denote by eo the term or formula obtained from e by replacing 
every (free) variable x by xo. A term is ground if it contains no variables, and a 
substitution ø is ground if xo is ground for all x € dom(o). 

T-graphs are £-graphs with labels in 7. A 7-clause is a clause defined on 
T-graphs. Substitutions are extended to 7-graphs and 7-clauses as follows. For 
every T-graph g, we denote by go the 7-graph such that: Fg, = Fy for all 
F € {N, E, R} and Lgo(a) = Lg(a)o, for alla € Ng. Then: (g ~ bh)o = go & bo, 
(g #% b)o = go # ho and (CV D)o = Co V Do. A T-graph g is ground if for all 
Qe Na L(a) is ground. A 7-clause is ground if all the 7-graphs occurring in 
it are ground. For every expression (term, 7-graph, constraint or T-clause) Æ, 
we denote by V(E) the set of variables (freely) occurring in E. 


Definition 26. A constrained clause (or c-clause) is a pair |C | 6], where C is 
a T-clause and b E€ C. 


Let Z be some fixed set of first-order interpretations on the signature X. For 
all I € TZ, we denote by dom(I) the domain of I and by f7 the interpretation 
of the function f (with f € X). For every ground term ¢ and for all I € TZ, 
we denote by [t]? the value of t in I, inductively defined as usual. To simplify 


1 As usual, predicates may be encoded as functions. 
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notations, we assume that for every I € Z and for every e € dom(I), there exists 
a ground term t such that [t]? = e. 

The satisfiability relation |= relating interpretations in Z and constraints in 
C is defined as usual, where = is interpreted as the identity, and L and T are 
interpreted as false and true, respectively. We write ¢ z w if the implication 
I oo I wo holds for all J € Z and for all ground substitutions 
of domain V(¢) UV(wW); and @ =z w iff ¢ Hz w and w =z ¢. For any set of 
constraints, we write J | S iff I |} ¢ for all ọ € S. For any constraint (or set of 
constraints) œ, if there exists a ground substitution o with domain V(¢) and an 
interpretation I € Z such that I = ġo, then ¢ is T-satisfiable (and Z-unsatisfiable 
otherwise). For instance, the fixed set of first-order interpretations may be the 
set Z, of first-order interpretations on X that satisfy the above condition on 
the domain (this is not restrictive provided there are infinitely many ground 
terms), in which case Z-satisfiability is simply the standard satisfiability in first- 
order clausal logic, or the set Zy of interpretations of domain N interpreting the 
functions 0,1,+ as usual. We say that Z is compact if for every Z-unsatisfiable 
set of constraints S there exists a finite set S’ C S such that S” is Z-unsatisfiable. 
It is well-known that Z, is compact [21] and that Zy is not compact?. 

Any ground 7-graph may be transformed into a dom(J)-graph by replacing 
the labels by their interpretations in J. More formally: 


Definition 27. For all I € T and for all ground T-graphs g we denote by |g]! 
the graph such that Fig: = Fy for all F € {N,E,R} and Lig (a) = [Lg(a)]’, 
for alla € Ñy. For every ground T-clause C, we denote by [C]! the clause 
obtained from C by replacing every T-graph g by |g’. For all sets of c-clauses 
T, we denote by [I'\! the set of clauses of the form [Ca]', where C € F and o 
is a substitution mapping every variable in C to a ground term. 


Note that by definition, all the labels of [g] are elements of the domain of J. 
Proposition 28 follows immediately from Definition 27. 


Proposition 28. Let g, be T-graphs, let I € T and let o be a ground substi- 
tution with domain V(g) U V(b). If g =b then [go]! = [bo]. 


Definition 29. An Z-interpretation is a pair (I,~), where I € T and ~ is 
a congruence on dom(I)-graphs. An I-interpretation (I,~) validates a set of 
c-clauses I (written (I,~) = T) if ~H [I]. 


5.2 Lifting the Calculus 


In the constrained calculus, the equality of labels will not be checked when an 
inference rule is applied. Instead, the corresponding conditions will be extracted 
from the considered graphs and added to the constraints of the conclusion. We 
first introduce a relation stating that two 7-graphs are identical up to their 


? For instance, the set {n = i | i € N} is unsatisfiable if n is interpreted as a natural 
number, but admits no finite unsatisfiable subset. 
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labels. This relation is parameterized by a constraint that asserts conditions on 
the labels ensuring that the graphs are identical (modulo 7). 


Definition 30. Letg,b be two T-graphs and let o E€ C. We write g =¢ b if Ng = 
Ni, Ey = Ey, Rg = Ry, and d = Naess, (Lala) = Ly(a)) (up to associativity 
and commutativity of A). 


Example 31. Consider the T-graphs g and h below, of root (p1). We have g =g b, 
with ọ = (x =0A0=y). 


o (m) & (a) 
oo © 


Every relation between 7-graphs or 7-clauses may be adapted in a similar 
way, keeping the conditions on the nodes, edges and roots, and asserting con- 
ditions ensuring that the label of every given node is unique (up to equality 
modulo Z). Definitions 32 and 33 lift the subgraph and subsumption relations, 
respectively: 


occurring in Rg also occurs in Ry; if a E€ Ng occurs in an edge in Eg \ Ey 
then a € Ry, and ọ = Nach, Ly(a) = Lg(a). The notation g{h + i} may 
be extended to the case where h <% g (following Definition 6). Orthogonality is 
extended accordingly (as it does not depend on labels). 


Definition 32. We write h <5 g if Ny C Ng; Ey E Eg; every node a € Ny 


Definition 33. We write C a D if C and D are respectively of the form 
(up to associativity and commutativity of V and isomorphism): V;—4 9i i. bi, 
and V; g; <; b; V D', with gi =», 9i, bi =y, 6; (for alli = 1,...,n) and 
b = Ni (i A Yi). 


The notion of a merge is extended analogously: 


Definition 34. A ¢-merge of two T -graphs gı and gz is a T -graph h such that: 
— Ny = Ny, U Ngo; Ey = Ep, U Ega, and Ny = Ng, U Nga: 
— For every node a € Ng, we have Ly(a) = Lg,(a), for some (arbitrarily 
chosen) i = 1,2 such that Lg,(a) is defined. 
~ $ = Nacha, ne Lo, (a) = Loz (a). 


We now lift the order relation. Let <; (for I € T) be a family of well- 
founded preorders on dom(I)-7-graphs that are closed under isomorphisms and 
embeddings and contain <9. Let <, (for ọ € C) be a family of pre-orders on 
T-graphs satisfying the following conditions: g >4 b => g >y 6, for all 
constraints ¢, 7) such that y Ez ¢, and (I = ¢Ag > b) => [g]! >z [b]. The 
simplest solution in practice is to order J-graphs according to their number of 
nodes, in which case the order does not depend on J or ¢: g <r h => g <o 
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b <= card(N,) < card(N,). However, our framework is meant to be general 
enough to cope with orders that take labels into account. 

A literal L is maximal in a c-clause [C | ¢] if there is no literal L’ € C such 
that L’ >4 L. It is eligible in a c-clause [C | ¢] if L is a >y-maximal literal in C. 

We are now in the position to define the constrained inference rules. As for 
the rules in Section 4.1, they apply modulo isomorphism. We assume as for 
the standard resolution or superposition calculus that the premises share no 
variables. In every rule, the conclusion inherits the constraints of the premises 
together with additional conditions on the labels which makes the inference 
valid. In all rules, the eligibility condition is tested after adding all the constraints 
enabling the inference, as this yields the most restrictive condition, thus reducing 
the branching factor. 


Pa [g1 ~ bı V Ci | gi] [g2 ~ b2 V Co | 42] 
` [Hg — bit ~ i{g2 — b2} V C1 V C2 | Q1 AG AY] 


Sp 
where: 


1. i is a ~-merge of gı and gg and gı and gə are not orthogonal; 
2. gi © b; is eligible in [g; ~ bi V Ci | d1 A dg AW (for all i = 1,2); 
3. gi Kbiddore hj (for all (= 1,2). 


sp. ie bVCl¢ litivD ly) 
P Ha & 5} ZiVCVD] nyng] 


where: 
l. g <? i (note that € is uniquely defined by Definition 32); 
2. g æ% b and i Æj are eligible in [g x HVC | Ay ^ė] and [i Ziv D| dAWAE], 
respectively; 
3. g Éønypne b and i Lgngag j- 


xbv g xb VE |g] 
[ge bvE| onya] 
where g ~ 6 is eligible in [g ~ hvg ~p VCE | GAVAYW', g =y g', and h =y D’. 


p#bVC]| A 
[C | ^y] 
where g # b is eligible in [g #HVC | ^y] and g =y b. 


R: 


5.3 Soundness and Refutational Completeness 


We establish the soundness and completeness of the constrained calculus, by 
lifting the corresponding properties for the base calculus. Note that semi decid- 
ability holds only if the base theory is semi-decidable? and compact (otherwise 
it is easy to see that unsatisfiability is not semi-decidable in general). 


3 in the sense that there exists a semi-decision procedure to check whether a formula 
in C is unsatisfiable. 
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Lemma 35. The rules Spt, Sp~, F andR (applied on c-clauses) are sound, i.e., 
for all Z-interpretations (I, ~) and for all c-clauses |C | ¢| deducible for a set of 
premises I’, we have (I,~) = rT = (,~) H [C | @]. 


The redundancy criterion may be lifted as follows: 


Definition 36. A c-clause |C | ¢] is (strictly) Z-redundant in a set of c-clauses 
I if for all ground substitutions o of domain V(C)UV(@) and for all I € T such 
that I = ġo, the clause [Co]! is (strictly) redundant in [T]. 

A set of c-clauses I’ is (strictly) saturated if every c-clause that is deducible 
from T by the rules above is (strictly) Z-redundant in T. 


Theorem 37. Let I’ be a set of c-clauses. If I is unsatisfiable and strictly 


saturated or Horn and saturated, then I’ contains a set of c-clauses {|O | or] | 
I € T} such that for every I € T, I |= 3ær.ġi, with £r = V(¢,). If, moreover, 
T is compact, then I’ contains a finite set of c-clauses {[0 | ¢;] | i =1,...,n} 


such that N; 7(4x.d;) is Z-unsatisfiable, with x; = V(di). 


5.4 Redundancy Testing 


The redundancy criterion in Definition 36 is very general, but it may be difficult 
to test in practice. We thus introduce a second notion of redundancy, defined 
directly on constrained clauses, that is stronger and easier to decide. 


Definition 38. Let [C | 4], [D | y] be two clauses and let I be a set of clauses. 
Let x and y be the vectors of variables occurring in [C | ¢] and [D | 4], respec- 
tively (we assume by renaming that x and y share no variable). 

We say that [C | ¢] is subsumed by [D | Y] and we write [C | 4] >% [D | 4] 
if there exists € € C such that D a C and ¢ Fr Jy.(w A £). 

We write |C | o] >r [D | y] (C | ¢] demodulates to [D | y] w.r.t. r) if C 
is of the form g œ% b V E, D = g{i <j} œ bh V E, and there exists a c-clause 
[F |] E€ T (with free variables z) such that F = (i ~ j) V F’, i <g g, F” <in? E, 
$ Hz 3y.3z.(W AEA E AE"), i>e), F <e Gaj) and (ij) < (g œ< b). 

A c-clause |C | ¢] is redundant w.r.t. I iff one of the following conditions 
holds: (1) 3x. is T-unsatisfiable, with x = V(d). (2) C contains two literals 
gı © g2 and gi # go, with gi =¢, gj, and d Fr ¢; (for alli = 1,2); (3) C 
contains a literal of the form g ~ h with g =y b and ọ =z Y; (4) [C | o] >% 
[D | 4], for some |D | 4y] E€ T; (5) [C | ġ] >r [D | 4] and [D | Y] is redundant. 

The notion of strictly redundant c-clause is defined in a similar way, removing 
Item 2. 


Example 39. Consider the following T-graphs, of root ( 


TORO Oo) 70 


We have g ~ i <3”? b Yi, with ọ = (x =OAy=2z+1A0= 0). Thus, if Z 
only contains the standard model of Presburger arithmetic, then [g ~ i | y # 0] 
subsumes [h +i | T]. 
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The following lemma states the relation between the new notion of redun- 
dancy and Z-redundancy (as defined in Definition 36). 


Lemma 40. Let I’ be a set of c-clauses. If [C | $] is (strictly) redundant w.r.t. 
I then it is (strictly) Z-redundant w.r.t. T. 


Remark 41. By the previous definitions, checking whether a given c-clause is 
(strictly) redundant involves testing the validity of entailments of the form 
@ Hz dy.w, which may be infeasible in practice (for instance the problem is 
undecidable if Z contains all interpretations). Stronger conditions may be used 
instead, e.g., one may check whether there exists a substitution o such that ¢ is 
of the form wo A w, which is decidable. 


6 Conclusion 


We devised a constrained superposition calculus to test the satisfiability of sets 
of clauses defined over graphs. Its soundness and refutational completeness was 
established, modulo a redundancy criterion that captures the usual deletion and 
simplification rules: subsumption, demodulation, deletion of clauses with trivial 
equations and — in the case of Horn clauses only — deletion of clauses containing 
complementary literals. The considered structures are rooted directed labeled 
graphs, which are general enough to capture most existing equational graph 
theories, such as those developed for quantum circuits. In contrast to [14], the 
calculus is able to handle disjunctions as well as interpreted labels, and in con- 
trast to [22], our solution avoids any encoding of graphs into terms, by defining 
inference rules operating directly on graphs. 

From a practical point of view, it would be interesting to get more general 
redundancy criteria, to reduce the branching factor and improve the efficiency 
of the procedure. In particular, is it possible to define a version of the calculus 
in which tautology deletion is allowed, even for non Horn clauses? As evidenced 
by Example 22, this would require to define a new equational factorization rule, 
allowing for non trivial superposition inferences within a single clause. 

Another interesting issue is to add variables denoting not only labels, but also 
graphs. This would allow for instance to synthesize graphs satisfying some prop- 
erties. As graphs can be viewed as functions with multiple inputs and outputs 
(denoted by the roots) such an addition would yield a second order logic. 

Finally, it would be interesting to identify fragments for which the calcu- 
lus terminates, ensuring decidability of the satisfiability problem. In contrast to 
terms, the calculus does not terminate (and the satisfiability problem is unde- 
cidable) for ground unit clauses [14], hence strong restrictions on the shape of 
the graphs are required to ensure termination. 
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Abstract. We introduce a first-order quantum programming language, 
named FOQ, whose terminating programs are reversible. We restrict FOQ 
to a strict and tractable subset, named PFOQ, of terminating programs 
with bounded width, that provides a first programming language-based 
characterization of the quantum complexity class FBQP. We finally present 
a tractable semantics-preserving algorithm compiling a PFOQ program to 
a quantum circuit of size polynomial in the number of input qubits. 


1 Introduction 


Motivations. Quantum computing is an emerging and promising computational 
model that has been in the scientific limelight for several decades. This phe- 
nomenon is mainly due to the advantage of quantum computers over their clas- 
sical competitors, based on the use of purely quantum properties such as super- 
position and entanglement. The most notable example being Shor’s algorithm 
for finding the prime factors of an integer [15], which is exponentially faster than 
the most efficient known classical factoring algorithm and which is expected to 
have implications in cryptography (RSA encryption, etc.). 

Whether due to the fragility of quantum systems, namely the engineering 
problem of maintaining a large number of qubits in a coherent state, or by lack 
of reliable technological alternatives, quantum computing is typically described 
at a level close to hardware. Without any hope of being exhaustive, one can think 
to quantum circuits [9,11], to measurement-based quantum computers [4,7] or to 
circuit description languages [13]. This low-level machinery restricts drastically 
the abstraction and programming ease offered by these models and quantum 
programs currently suffer from the comparison with their classical competitors, 
which have many high-level tools and formalisms based on more than 50 years 
of scientific research, engineering development, and practical and industrial ap- 
plications. 

In order to solve these issues, a major effort is made to realize the promise 
of a quantum computer, which requires the development of different layers of 
hardware and software, together referred to as the quantum stack. Our paper is 
part of this line of research. We focus on the highest layers of the quantum stack: 
quantum programming languages and quantum algorithms. We seek to better 
understand what can be done efficiently on a quantum computer and we are 
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particularly interested in the development of quantum programming languages 
where program complexity can be certified automatically by some static analysis 
technique. 


Contribution. Towards this end, we take the notion of polynomial time compu- 
tation as our main object of study. Our contributions are the following. 


— We introduce a quantum programming language, named FOQ, that includes 
first-order recursive procedures. The input of a FOQ program consist in a 
sorted set of qubits, a list of pairwise distinct qubit indexes. A FOQ program 
can apply to each of its qubits basic operators corresponding to unary unitary 
operators. The considered set of operators has been chosen in accordance 
with [16] to form a universal set of gates. 

— After showing that terminating FOQ programs are reversible (Theorem 1), we 
restrict programs to a strict subset, named PFOQ, for polynomial time FOQ. 
The restrictions put on a PFOQ programs are tractable (i.e., can be decided 
in polynomial time, see Theorem 2), ensure that programs terminate on any 
input (Lemma 1), and prevent programs from having any exponential blow 
up (Lemma 2). 

— We show that the class of functions computed by PFOQ programs is sound 
and complete for the quantum complexity class FBQP. FBQP is the functional 
extension of bounded-error quantum polynomial time, known as BQP [2], the 
class of decision problems solvable by a quantum computer in polynomial 
time with an error probability of at most f for all instances. Hence the lan- 
guage PFOQ is, to our knowledge, the first programming language character- 
izing quantum polynomial time functions. Soundness (Theorem 3) is proved 
by showing that any PFOQ program can be simulated by a quantum Turing 
machine running in polynomial time [2]. The completeness of our characteri- 
zation (Theorem 6) is demonstrated by showing that PFOQ programs strictly 
encompass Yamakami’s function algebra, known to be FBQP-complete [16]. 

— We also describe a polynomial-time deterministic algorithm compile (based 
on the subroutines described in Algorithms 1 and 2), that takes in a PFOQ 
program P and an integer n and outputs a quantum circuit of size polyno- 
mial in n that simulates P on an input size of n qubits. The existence of 
such circuits is not surprising, as a direct consequence of Yao’s characteriza- 
tion of the class BQP in terms of uniform families of circuits of polynomial 
size [17]. However, a constructive generation based on Yao’s algorithm is not 
satisfactory because of the use of quantum Turing machines which makes 
the circuits complex and not optimal (in size). We show that, in our set- 
ting, circuits can be effectively computed and that the compile algorithm 
is tractable (Theorem 9). 


Our programming language FOQ and the restriction to PFOQ are illustrated 
throughout the paper, using the Quantum Fourier Transform QFT as a leading 
algorithm (Example 1). 
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Related work. This paper belongs to a long standing line of works trying to 
specify, understand, and analyze the semantics of quantum programming lan- 
guages, starting with the cornerstone work of Selinger [14]. The motivations 
in restricting the considered programs to PFOQ were inspired by the works on 
implicit computational complexity, that seek to characterize complexity classes 
by putting restrictions (type systems or others) on standard programming lan- 
guages and paradigms [1,5,12]. These restrictions have to be implicit (i.e., not 
provided by the programmer) and tractable. Among all these works, we are aware 
of two results [16] and [6] studying polynomial time computations on quantum 
programming languages, works from which our paper was greatly inspired. [6] 
provides a characterization of BQP based on a quantum lambda-calculus. Our 
work is an extension to FBQP with a restriction to first-order procedures. Last 
but not least, [6] is based on Yao’s simulation of quantum Turing machines [17] 
while we provide an explicit algorithm for generating circuits of polynomial size. 
Our work is also inspired by the function algebra of [16], that characterizes 
FBQP: our completeness proof shows that any function in [16] can be simulated 
by a PFOQ program (Theorem 6). However, we claim that FOQ is a more gen- 
eral language for FBQP in so far that it is much less constraining (in terms of 
expressive power) than the function algebra of [16]: any function of [16] can 
be, by design, transformed into a PFOQ program, whereas the converse is not 
true. We can take as example the quantum Fourier transform (QFT) which, as 
noted in [16], cannot be exactly computed by the function algebra without an 
additional initial quantum function. Furthermore, the multi-qubit recursion con- 
struction described in [16] is more restrictive than what we allow in PFOQ, since 
we may only call the same recursive function in each branch. 


2 First-order quantum programming language 


Syntax and well-formedness. We consider a quantum programming language, 
called FOQ for First-Order Quantum programming language, that includes basic 
data types such as Integers, Booleans, Qubits, Operators, and Sorted Sets of 
qubits, lists of finite length where all elements are different. A FOQ program has 
the ability to call first-order (recursive) procedures taking a sorted set of qubits 
as a parameter. Its syntax is provided in Figure 1. 

Let x denote an integer variable and p, q denote sorted sets variables. The 
size of the sorted set stored in q will be denoted by |q|. We can refer to the i-th 
qubit in q as Gj], with 1 < i < |q|. Hence, each non-empty sorted set variable 
q can be viewed as a list [@[1],..., G[|a|]]. The empty sorted set, of size 0, will 
be denoted by nil and q © [i] will denote the sorted set obtained by removing 
the qubit of index i in q. For notational convenience, we extend this notation by 
q © [ii,.-.., tx], for the list obtained by removing the qubits of indexes 71,..., 7% 
in the sorted set q. 

The language also includes some constructs Uf to represent (unary) unitary 
operators, for some total function f € Z —> (0, Qn)NR. The function f is required 
to be polynomial-time approximable: its output is restricted to R, the set of real 
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numbers that can be approximated by a Turing machine for any precision 27% 
in time polynomial in k. 


Integers) i 4 n|xlitn|i-n||s|, withneN 
Booleans) b ê i>ili>ilji=i|bAb|bvb|-b 
Sorted Sets) s £ nil|ā]|se fi 
Qubits) q £ sji] 
Operators) Uf (i) ê NOT | R (i) | Phf (i), with f € Z > [0, 2r) OR 
Statements) S £ skip; | q *= Uf (i); | SS | if b then S else S 
| qcase q of {0 > S, 1 —> S} | call proc{il(s); 
Procedure declarations) D 2 e| decl proc[x|(p){S}, D 
Programs) P(q) =D::8 


Fig. 1: Syntax of FOQ programs 


A FOQ program P(q) consists of a sequence of procedure declarations D fol- 
lowed by a program statement S, € denoting the empty sequence. In what follows, 
we will sometimes refer to program P(q) simply as P. Let var(S) be the set of 
variables appearing in the statement S. Let |P| be the size of program P, that is 
the total number of symbols in P. 

A procedure declaration decl proc[x|(p){S} takes a sorted set parameter p 
and some optional integer parameter x as inputs. S is called the procedure state- 
ment, proc is the procedure name and belongs to a countable set Procedures. We 
will write SP’°° to refer to S and proc € P holds if proc is declared in D. 

Statements include a no-op instruction, applications of a unitary operator 
to a qubit (q *= U/(i);), sequences, (classical) conditionals, quantum cases, and 
procedure calls (call proc{i](s);). A quantum case qcase q of {0 > So, 1 > Si} 
provides a quantum control feature that will execute statements So and Sı in 
superposition. For example, the CNOT gate on qubits qfi] and q[j], for i,j € N, 
i # j, can be simulated by the following statement: 


CNOT(Gli], alj]) ê qease li] of {0 + skip; ,1— ālj] «= NOT; }. 


Throughout the paper, we restrict our study to well-formed programs, that is, 
programs P = D :: S satisfying the following properties: var(S) C {q}; Vproc € 
P, var(SP™°°) C {x, p}; procedure names declared in D are pairwise distinct; for 
each procedure call, the procedure name is declared in D. 


Semantics. Let Hon be the Hilbert space C?” of n qubits. We use Dirac notation 
to denote a quantum state |Y} € Han. Each |y} E€ Han can be written as a 
superposition of bitstrings of size n: |Y) = J ueto,1}r wlw), with a, € C and 
>, lawl? = 1. The length £(\w)) of the state |Y) is n. Given two matrices M, N, 
we denote by Mt the transpose conjugate of M and by M@N the tensor product 
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of M by N. (p| is equal to |Yř and |w)(¢| and (|) are respectively the inner 
product and outer product of |7) and |¢). Let In be the identity matrix in C"*”. 
Given m < n and i € {0,1}, define [i)m = Igm-1 8 |i)® Ign—m and (il, = (|i)m)!. 
A function [U] € Z — Č?*? is associated to each Uf as follows: 
a (OL a [{cos(f(n)) —sin(f(n aft Q 
Nori) e (1a) RE e (E RD), ppa e (5 air) 
where Č is the set of complex numbers whose both real and imaginary parts 
are in R. One can check easily that each matrix M £ [Uf] (n) € Č?*? is unitary, 
i.e., it satisfies M1 M = M Mt = h. 

Let B to be the set of Boolean values b € {false, true}. For a given set 
X, let L(X) be the set of lists of elements in X. Let 1 = [21,...,%m], with 
L1,.-+;Lm E€ X, denote a list of m-elements in L(X) and [] be the empty list 
(when m = 0). For l,l! € £(X), LQ’ denotes the concatenation of l and l’. hd(1) 
and tl(l) represent the tail and the head of l, respectively. Lists of integers will 
be used to represent Sorted Sets. They contain pointers to qubits (7.e., indexes) 
in the global memory. 

We interpret each basic data type 7 as follows: [Integers] = Z, [Booleans] = 
B, [SortedSets] 4 L(N), [Qubits] 4 N, and [Operators] & C?*?. Each basic 
operation op € {+,-,>,>,=,A,V,7} of arity n, with 1 < n < 2, has a type 
signature Tı X ... X T, — T fixed by the program syntax. For example, the 
operation + has signature Integers x Integers —> Integers. A total function [op] € 
[71] x... x [rn] > [7] is associated to each op. 

For each basic type 7, the reduction J}j;) is a map in T x L(N) > [r]. 
Intuitively, it maps an expression of type 7 to its value in [7] for a given list | 
of pointers in memory. These reductions are defined in Figure 2, where e and d 
denote either an integer expression i or a boolean expression b. 

Note that in rule (Rmg), if we try to delete an undefined index then we 
return the empty list, and in rule (Qug), if we try to access an undefined qubit 
index then we return the value 0 (defined indexes will always be positive). The 
standard gates Ry(m/4), P(a/4), and CNOT, form a universal set of gates 
[3], which justifies the choice of NOT, RG); and Phf(i) as basic operators. 
For instance, we can simulate the application of an Hadamard gate H on q by 
the following statement q *= RÉ (0); q *= NOT;, with the function f defined by 
Vn, f(n) = 7/4 € [0, 2n)AR. By abuse of notation, we will sometimes use q *= H; 
to denote this statement. Using CNOT, we can also define the SWAP operation 
swapping the state between two qubits qfi] and q[j], with 7,7 EN, i Æ j: 


SWAP (4[i], ali]) = CNOT (Gli, ali]) CNOT(a[j], alé]) CNOT (Gli, ali). 


Let T and L be two special symbols for termination and error, respectively, 
and let © stand for a symbol in {T, L}. The set of configurations of dimension 
2”, denoted Conf,,, is defined by 


Conf, = (Statements U {T, L}) x Han x P(N) x L(N), 


with P(N) being the powerset over N. A configuration c = (S, |W), A, l) € Conf, 
contains a statement S to be executed (provided that S ¢ {T,1}), a quantum 
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e,l) Ying m d, l) Yir] 2 i,l) Uz n . 
(e,1) Jini (4,1) Viral (Op) (il) 4 (Unit) 


(e op d, 1) Viopi(tnl r21) Lop] (™, n) i (UF (i), D) Je2x2 [U4] (n) 


(Cst) (s, l) Jem) [z1, msg Em] (i, l) Jzk€ [1, m] 


Rme 
(n, 1) dan (s © [i], }) Lewy [Biya CR Beis oe Sei] ) 
(s, 1) Lewy [er eeej Ln] (Size) (s, l) Lec) [£i A 2a] (i, L) Wz k ¢ (1, m] (Rm ) 

(s), Yen (6S fi.) Jew I] i 
——~ ~ š (Ni (s, 1) Len) [Tirst] (i, 0) Ua ke [1, m] 
(nil, l) Leas [] iz (sli], 2) JN ve Que) 
— ~ (Var (s, l) Lewy [ei Seay Lm] (i, l) Vz k ¢ [1, m] 

(@ 1) Jem l wey Gli]. Jno (Qug) 


Fig. 2: Semantics of expressions 


state |Y) of length n, a set A containing the indexes of qubits that are allowed 
to be accessed by statement S, and a list l of qubit pointers. 


The program big-step semantics —>, described in Figure 3, is defined as a 
relation in Unen Conf, x Conf,. In the rules of Figure 3, —> is annotated by an 
integer, called level. For example, the level of the conclusion in the (Call) rule 
is 1. The level is used to count the total number of procedure calls that are not 
in superposition (i.e., in distinct branches of a quantum case). 


We now give a brief intuition on the rules of Figure 3. Rules (Asg,) and 
(Ase) evaluate the application of a unitary operator, corresponding to Uf (j), 
to a qubit s|i]. For that purpose, they evaluate the index n of s[i] in the global 
memory. Rule (Asg1) deals with the error case, where the corresponding qubit 
is not allowed to be accessed. Rule (Asg+) deals with the success case: the new 
quantum state is obtained by applying the result of tensoring the evaluation 
of Uf (j) to the right index. Rules (Seq.) and (Seq,) evaluate the sequence of 
statements, depending on whether an error occurs or not. The (If) rule deals 
with classical conditionals in a standard way. The three rules (Casey), (Case _ ), 
and (Caseg) evaluate the qubit index n of the control qubit s|i]. Then they check 
whether this index belongs to the set of accessible qubits (is n in A?). If so, 
the two statements Sp and S; are intuitively evaluated in superposition, on the 
projected state (0|,,|~) and (1|,,|W), respectively. During these evaluations, the 
index n cannot be accessed anymore. The rule (Call;}) treats the base case of a 
procedure call when the sorted set parameter is empty. In the non-empty case, 
rule (Call,) evaluates the sorted set parameter s to l’ and the integer parameter 
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> (Skip) 
(skip, |Y} A, 1) — (T, |p), A, 1) 
(sli],!) linn ¢ A 


aE 7 (Asg1) 
(sli] *= U G); 1), A, 1) —?T (1, IY), A,1) 


(sil) ynne A (UFG), D) Ycax2 M 


a (Asgr) 
(sfi] "= UF (j); , |), A, 1) —_ (T, Ign-1 ® M® Daae- |), A, l) 


(S1: lh} A1) = (TYRA (S2 10), AD => (0, 14”) A1) 
(Si S2, |p), A, 1) "=" (o, |y") A, 1) 


(Seqo) 


(Sı, |), A, l) > (4, |), A, l) 


= (Seq) 
(Si S2, |~), A, l) —- (L, lh), A, L) 


(b,1) Je bEB (Sp, |v), A, 1) 7 (0, |b"), A.D) 
(if b then Strue else Sraise, |), A, D Z (o, |e’), A, L) 


(If) 


(SiD Inn € A (Sk, l) An}, D ZS (T, lve} A\{n}, 1) 
(qcase sļi] of {0 + So, 1 — S1}, |Y), A, 1) ZPE (T, 5, [khk lte) A, 2) 


(Caser ) 


(Sil) Inn € A — (Sk, |b), An} D ZS (on, leh An}, d) L € {00,01} 
(qcase s|i] of {0 > So, 1 > Si}, |e), A, 2) BS" (L, |W), A, 2) 
(sli],!) Inn g A 
(qcase s[i] of {0 > So, 1 > Si}, |v), A, D 9 (L, |), 4,1) 


(Case, ) 


(Caseg) 


(51) tel Al] Gl Yen — (SP°{n/x}, y) Al) 5 (o, ly’) A,1) 
(call proc{i](s); |), A, D “> (o, |b’), A, 0) 
(s, 1) Vem) l 
(call proc{i](s); , |4), A, 1) => (T, |p), A, 1) 


(Calls) 


(Calli) 


Fig. 3: Semantics of statements 


x to n. It returns the result of evaluating the procedure statement SP™°S{n/x}, 
where n has been substituted to x, w.r.t. the updated qubit pointers list I’. 

For a given program P = D :: S and a given quantum state |W) E€ Han, the 
initial configuration for input |W) is Cinal) = (S, |v), {1,..-,n},[1,.-.,n]) € 
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Conf,,. A program is error-free if there is no initial configuration cjnj4(|wW)) such 
that cina (lY) — (L, |e"), A, 1). We write [P](|w)) = |"), whenever cina lly) “> 
(T, |W’), A,l) holds for some m. (T, |W’), A, L) is called a terminal configuration. 
Let H = U,, Hon, a program terminates if [P] is a total function in H > H. 
Note that if a program terminates then it is obviously error-free but the converse 
property does not hold. Every program P can be efficiently transformed into an 
error-free program P~; such that V|q), if [P](|¢)) is defined then [P](|w)) = 
[P-.](\w)). For example, an assignment sļi] x= Uf (j); can be transformed into 
the conditional statement if ((0 < i) A (i < |s|)) then sf[i] *= U/(j); else skip;. 


Example 1. A notable example of quantum algorithm is the Quantum Fourier 
Transform (QFT), used as a subroutine in Shor’s algorithm [15], and whose 
quantum circuit is provided below, with R, 2 [Ph*"”/ 20] (n), for n > 2. After 
applying Hadamard and controlled R» gates, the circuit performs a permutation 
of qubits using swap gates. 


qt H Ro Rz eae Ria q > 


a2 | |a 


allal — 1 + a Rp 


allal 


| u || — 


Note that Az.m/2”7t is a total function in Z > [0, 27r) N R. Hence, it is poly- 
nomial time approximable. The above circuit can be simulated for any number 
of qubits |q| by the following FOQ program QFT. 


decl rec(p){ decl rot|x](p){ decl inv(p){ 
p[1] += H; if |p| > 1 then if |p| > 1 then 
call rot[2|(p); qcase pl] of { SWAP (III, PIPI): 
call rec(p © [1]); }, 0 > skip; call inv(pS[1, [BI]; 


1 — pfl] *= Phò®7/2 (x); else skip; } :: 


call rot[x + 1](p © [2]); 
else skip; }, 


call rec(q); call inv(q); 


Derivation tree and level. Given a configuration c wrt a fixed program P, mp © c 
denotes the derivation tree of P, the tree of root c whose children are obtained 
by applying the rules of Figures 2 and 3 on configuration c with respect to P. 
We write 7 instead of tp œc when P and c are clear from the context. Note that 
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a derivation tree 7 can be infinite in the particular case of a non-terminating 
computation. When 7’ is finite, m < m’ denotes that m is a subtree of m’. 

In the case of a terminating computation m © c, there exists a terminal con- 
figuration c’ and a level m € N such that c => c’ holds. In this case, the level 
of x is defined as lv, £ m. Given a FOQ program P that terminates, levelp is a 
total function in N — N defined as levelp(n) = maxjyeHon Wapocinie (|v))« 

Intuitively, levelp (n) corresponds to the maximal number of non-superposed 
procedure calls in any program execution on an input of length n. 


Example 2. Consider the program QFT of example 1. Assume temporarily that 
QFT terminates (this will be shown in Example 3). For all n € N, levelarr(n) = 
(n+1)(n+2) + [S| +1. Indeed, on sorted sets of size n, procedure rec is called 
recursively n + 1 times and makes n + 1 calls to procedure rot on sorted sets of 
size n, n— 1, ..., and 1. On sorted sets of size n, rot performs n recursive calls. 
Hence the total number of calls to rot is equal to 5>;"_, i. Finally, on a sorted set 


of size n, procedure inv does |3] + 1 recursive call. 


A program P is reversible if it terminates and there exists a program P7! 
such that [P+] o [P] = Id. 


Theorem 1. All terminating FOQ programs are reversible. 


3 Polynomial time soundness 


In this section, we restrict the set of FOQ programs to a strict subset, named 
PFOQ, that is sound for the quantum complexity class FBQP. For this, we de- 
fine two criteria: a criterion ensuring that a program terminates and a criterion 
preventing a terminating program from having an exponential runtime. 


Polynomial-time FOQ. Given two statements S,S’, we write S € S’ to mean 
that S is a substatement of S’ and proc € S holds if there are i and s such 
that call proc[i](s);€ S. Given a program P = D :: S, we define the relation 
>pC Procedures x Procedures by proc, >p proc, if procg € SP'°%, for any 
two procedures proc,, proc, € S. Let the partial order =p be the transitive and 
reflexive closure of >p and define the equivalence relation ~p by proc, ~p procs 
if proc; =p proc, and proc =p proc, both hold. Define also the strict order >p 
by proc, >p proc, if proc, =p proc, and proc, %p proc, both hold. 


Definition 1. Let wF be the set of FOQ programs P that are error-free and 
satisfy the well-foundedness constraint: Vproc € P, Veall proc’[i](s); € SP*°°, 


proc ~p proc’ > Jk > 0,5i1,...,in, 5 = pO |is,..., ig. 


Lemma 1 /f P € wr, then P terminates. 
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Example 3. Consider the program QFT of Example 1. The statements of the 
procedure declarations define the following relation: rec >Qfr rec, rec >arr rot, 
rot >arr rot, and inv >qrr inv. Consequently, rec ~arr rec, rot ~arr rot, 
inv ~art inv, and rec > grt rot hold. For each call to an equivalent procedure, 
we check that the argument decreases: pC[1] in rec, pO [2] in rot, and pS[1, |p|] in 
inv. Consequently, QFT € wF. We deduce from Theorem 1 that QFT terminates. 


We now add a further restriction on mutually recursive procedure calls for 
guaranteeing polynomial time using a notion of width. 


Definition 2. Given a program P and a procedure proc € P, the width of proc 
in P, noted widthp(proc), and the width of proc in P relatively to statement S, 
aie wp (S), are two positive integers in N. They are defined inductively by: 


widthp(proc) = wT°°(sPrec), 
wb °° (skip; ) = 0, 
ee *= Uf (i);) £0, 
(S1 Sz) = wP? (S1) + wp (S2), 
or b then Strue else Sfalse) + max(we (Struc) We (Sfalse)), 
(qcase q of {0 — So, 1 > Si}) = max(wb'°°(So), wB"°°(S1)), 
wp “(call proc’ [i](s);) = ff eam pros 
Definition 3 (PFOQ). Let PFOQ be the set of programs P in WF that satisfy 
the following constraint: Vproc € P, widthp(proc) < 1. 


Example 4. In the program of Example 1, widthgpr(rec) = widthgpr(rot) = 
widtharr(inv) = 1, since rec >grr rot holds. Since QFT € wr, by Example 3, 
we conclude that QFT is a PFOQ program. 


We now show that the level of a PFOQ program is bounded by a polynomial 
in the length of its input. 


Lemma 2 For each PFOQ program P, there exists a polynomial Q € N[X] such 
that Yn € N, levelp(n) < Q(n). 


Moreover, checking whether a program is PFOQ is tractable. 


Theorem 2. For each FOQ program P, it can be decided in time O(|P|?) whether 
P- € PFOQ. 


Quantum Turing machines and FBQP. Following Bernstein and Vazirani [2], a 
k-tape Quantum Turing Machine (QTM), with k > 1, is defined by a triplet 
(27,Q,6) where X is a finite alphabet including a blank symbol #, Q is a finite 
set of states with an initial state sg and a final state s+ Æ sg, and 6 is the 
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quantum transition function in Q x 5* > COX UE x{LN RY, {L, N, R} being the 
set of possible movements of a head on a tape. Each tape of the QTM is two- 
way infinite and contains cells indexed by Z. A QTM successfully terminates 
if it reaches a superposition of only the final state st. A QTM is said to be 
well-formed if the transition function 6 preserves the norm of the superposition 
(or, equivalently, if the time evolution of the machine is unitary). The starting 
position of the tape heads is the start cell, the cell indexed by 0. If the machine 
terminates with all of its tape heads back on the start cells, it is called stationary. 
We will use stationary in the case where the machine terminates with its input 
tape head in the first cell, and all other tape heads in the last non-blank cell. 
We will further refer to a QTM as being in normal form if the only transitions 
from the final state s+ are towards the initial state so. These will be important 
conditions for the composition and branching constructions of QTMs. If a QTM 
is well-formed, stationary, and in normal form, we will call it conservative [16] 
(N.B.: our notion of stationary QTM differs but can be shown to be equivalent 
to the definition of stationary QTM in [16]). 

A configuration y of a k-tape QTM is a tuple (s,W,7), where s is a state 
in Q, W is a k-tuple of words in X*, and 7 is a k-tuple of indexes (head posi- 
tions) in Z. An initial (final) configuration yini (resp. Yfin) is a configuration of 
the shape (s9,W, 0) (resp. (st,7@,0)). We use y(w) to denote a configuration + 
where the word w is written on the input/output tape. Following [2], we write 
S to represent the inner-product space of finite complex linear combinations of 
configurations of the QTM M with the Euclidean norm. A QTM M defines a 
linear time operator Um : S > S, that outputs a superposition of configurations 
X; aili) obtained by applying a single-step transition of M to a configuration 
ly) (ie, Um|y) = X; aili). Let Ut}, for t > 1, be the t-steps transition obtained 
from Um as follows: Ul £ Um and U £ Umo Ut. Given a quantum state 
lV) = X weto,» Qwlw) and a configuration q, let 7(|%)) € S be the quantum 
configuration defined by y(|w)) + weto)» wl Y(w)). 

A quantum function f : H —> H is computed by the QTM M in time t if for 
any |V) € H, UL, (inë (IW) = Yrin (FCW). Given T : N > N and a quantum 
function f, we say that the QTM M computes f in time T if for inputs of length 
n, M computes f in time T(n). 

Definition 4. Given two functions f : {0,1} > {0,1}, F : H > H, and 
a value p € [0,1], we say that f is computed by F with probability p if Va € 
{0,1}*, |(f(a)|F(\e))[2 > p. 

The class FBQP is the functional extension of the complexity class BQP. 
Definition 5 ([2]). A function f € {0,1}* > {0,1}* is in FBQP iff there exist 
a QTM M and a polynomial P € N[X] s.t. M computes f in time P with 
probability 2, 

A function f € {0,1}* — {0,1}* has a polynomial bound P € N{[X] if 
Yn € N,Vx € {0,1}",4k < P(n), f(x) € {0,1}*. Functions in FBQP have a 
polynomial bound as the size of their output is smaller than the polynomial 
time bound. 


i 


A Programming Language Characterizing Quantum Polynomial Time 167 


Soundness. We show that QTMs can simulate the function computed by any 
terminating FOQ program. The time complexity of this simulation depends on 
the length of the input quantum state and on the level of the considered program. 


Lemma 3 For any terminating FOQ program P, there exists a conservative 
QTM M that computes |P] in time O(n +n x levelp(n)). 


Now we show that any PFOQ program computes a FBQP function. 


Theorem 3. Given a PFOQ program P, a function f : {0,1}* > {0,1}*, and a 
value p € (5, 1]. If f is computed by |P] with probability p then f E€ FBQP. 


Proof. Using Lemma 2 and Lemma 3. 


4 FBQP completeness 
In this section we show that any function in FBQP can be faithfully approximated 
by a PFOQ program. Toward this end, we show that Yamakami’s [16] FBQP- 


complete function algebra can be exactly simulated in PFOQ. 


Yamakami’s function algebra. A characterization of FBQP was provided in [16] 


using a function algebra, named oa Given a quantum state |Y} and a word 
w E {0,1}", with n < (|Y). |W) can be written as |W) = >>; a;|wizi), with 
wi € {0,1} and z; € {0,1}!0%)—-", We write (w|) as an abuse of notation for 
the quantum state defined by (w|) = >, a; (wlwi) |z:} 


Definition 6. QP is the smallest class of functions including the basic initial 


functions {I, Pho, Roto, NOT, SW AP}, with 8 € [0, 2r) NC, 


— (IW) = |v) l 

— Pho(|)) = OXO) + i 1) 

— Rotg(|r))) = cos Olp) + sin A(|1)(0|H) — |OX1]-)) 

— NOT (|b) = OXL) + 11X04) 

: a fw ODES 
SW AP(|p)) = © acct |ba)(ab\~b) otherwise 


and closed under schemes Comp, Branch, and kQRec,, for k,t € N, 


— Comp|F, G](|b)) = F(G(|¥))) 
|v) if (|p) <1 
|0)@ F((O|w)) + |1)@ G((1\w)) otherwise 

a J FY) if (|p) <t 
— kQRec|F, G, H](\v)) ê - (a lw)® Fo ((wlH(1W))) otherwise 
where each Fy € {kQRec,|F, G, H], I}. 


— Branch|F, G](|w)) £ l 
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To handle general FBQP functions, [16] defines the extended encoding of an 
input z € {0,1}* as dp(|ax)) = jo!) 10? M2) 191 P C2) +617), for some poly- 
nomial P € N[X] that is an upper bound on the output size of the desired FBQP 
function. p simply consists in the quantum state |x) preceded by a polynomial 
number of ancilla qubits. These ancilla provide space for internal computations 
and account for the polynomial bound associated to polynomial time QTMs. 


Theorem 4 ([16]). Given f : {0,1}* —> {0,1}* with polynomial bound P € 
N[X], the following statements are equivalent. 

1. The function f is in FBQP. 

2. There exists F € w such that F o fp computes f with probability 2, 


We show the following result by structural induction on a function in Oy 


Theorem 5. Let F be a function in a Then there exists a PFOQ program P 
such that [P] = F. 


We are now ready to state the completeness result. 


Theorem 6. For every function f in FBQP with polynomial bound Q € N[X], 


there is a PFOQ program P such that [P] © ġo computes f with probability 2, 


Proof. By Theorem 4 and Theorem 5. 


5 Compilation to polynomial-size quantum circuits 


In this section, we provide an algorithm that compiles a PFOQ program on a 
given input length n € N into a quantum circuit of size polynomial in n. 

Quantum circuits [8] are a well-known graphical computational model for 
describing quantum computations. Qubits are represented by wires. Each unitary 
transformation U acting on n qubits can be represented as a gate U with n inputs 
and n outputs. A circuit C is an element of a PROP category ([{10], a symmetric 
strict monoidal category) whose morphisms are generated by gates G and wires. 
Let 1 be the identity circuit (for any length) and o and ® be the composition 
and product, respectively. By abuse of notation, given & circuits CMa: 
ok_,C* will denote the circuit Č! o --- o C*, where each circuit C° is obtained 
by tensoring C’ appropriately with identities so that the output of C’ matches 
the input of C*+!. By construction, a circuit is acyclic. Each circuit C, can 
be indexed by its number n € N of input wires (i.e., non ancilla qubits) and 
computes a function [Cnh] € Ho» —> Hon. To deal with functions in H > H, 
we consider families of circuits (C;,)nen, that are sequences of circuits such that 
each Cn encodes computation on quantum states of length n. Hence each circuit 
has n input qubits plus some extra ancilla qubits. These ancillas can be used to 
perform intermediate computations but also to represent functions whose output 
size is strictly greater than their input size. To avoid the consideration of families 
encoding undecidable properties, we put a uniformity restriction. 
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Definition 7. A family of circuits (Cn)nen is said to be uniform if there exists 
a polynomial time Turing machine that takes n as input and outputs a represen- 
tation of Cn, for alln EN. 


In quantifying the complexity of a circuit, it is necessary to specify the consid- 
ered elementary gates, and define the complexity of an operation as the number 
of elementary gates needed to perform it. In our setting, we consider the follow- 
ing set of universal elementary gates {Ry (7/4), P(a/4), CNOT}. The size #C 
of a circuit C is equal to the number of its gates and wires. 


Definition 8. A family of circuits (Cn)nen is said to be polynomial-size with 
a € N > N ancilla qubits if there exists a polynomial P € N[X] such that, for 
each n € N, #Cn < P(n) and the number of ancilla qubits in C, is exactly a(n). 


Let Xm : Hon —> Hontm be defined by Xm(lY) £ |v) @ |0}, for a state 
|Y) of size n. Let Em : Han —> Hom, with m < n, be defined by €,,(|w)) = 
ewe {o,1}™ Lozefo,1}»-m (wzy) |w). Finally, let |w|, for w € {0,1}*, be the size 
of the word w. 


Theorem 7. (Adapted from [17] and [11]) A function f : {0,1}* > {0,1}* 
is in FBQP iff there exists a uniform polynomial-size family of circuits (Cy) nen 


with a ancilla qubits s.t. Yx € {0,1}*, (FE o [Ciz] o Xale (D) > 2. 


In Theorem 7, [C\,z)] is a function in Hjzi+a¢j21) —> Holzi+aqe The function 
Xa(|z|) Pads the input with ancilla in state |0) to match the circuit dimension. 
The function €) f(.); projects the output of the circuit to match the length of 
the function output |f(«)|. Hence, for |x) € Haiei, Elfe ° [Cle] © Xaqan (IX) € 
Hyis(«)| + 


Compilation to circuits. For each PFOQ program P, the existence of a polynomial- 
size uniform family of circuits (Cn)nen that computes [P] is entailed by the 
combination of Lemma 2 and Theorem 7. However, due to the complex ma- 
chinery of QTM, the constructions of both proofs cannot be used in practice 
to generate a circuit. In this section, we exhibit an algorithm that compiles 
directly a PFOQ program to a polynomial-size circuit. Note that this compi- 
lation process requires some care since recursive procedure calls in quantum 
cases may yield an exponential number of calls. The remainder of this sec- 
tion will be devoted to presenting an algorithm, named compile, which, for 
a given PFOQ program P and a given integer n produces a circuit Cn such that 
VIY) € Hon, [PID = En © [Ca] © xac) (IY). 

The compile algorithm uses two subroutines, named compr and optimize, 
and is defined by compile(P,n) £ compr(P, [1,..., 7], -). 

The subroutine compr (Algorithm 1) generates the circuit inductively on the 
program statement. It takes as inputs: a program P, a list of qubit pointers l, and 
a control structure cs. A control structure cs is a partial function in N —> {0, 1}, 
mapping a qubit pointer to a control value (of a quantum case). Let - be the 
control structure of empty domain. For n € N and k € {0,1}, cs[n := k] is the 
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control structure obtained from cs by setting cs(n) = k. For a given x € {0,1}*, 
we say that state |x) satisfies cs if, Yn € dom(cs), cs(n) = k => |(kj,,|z))? = 1. 
Two control structures cs and cs’ are orthogonal if there does not exist a state |x) 
that satisfies cs and cs’. Note that if 3i € dom(cs) N dom(cs’), cs(i) + cs’(i) =1 
then cs and cs’ are orthogonal. 


Algorithm 1 (compr) 
Input: (P,/,cs) € Programs x £(N) x (N > {0,1}) 
Let D::S=P in 
if S= skip; then 
C+il > Identity circuit 


else if S = s[i] *= U (j); and (s[i], 1) diy n and (Uf (j), 1) Yc2x2 M then 
C + M(cs, [n]) > Controlled gate 


else if S = Sı S2 then 
C + compr(D :: Si,1,cs) o compr(D :: Sa, 1, cs) > Composition 


else if S = if b then Strue else Sfaise and (b,/) e b then 
C + compr(D :: Sz, l, cs) > Conditional 


else if S = qcase si] of {0 + So, 1 > Si} and (sli, /) Yn n then 
C + compr(D :: So, l, cs[n := 0])o compr(D :: S1, l, cs[n := 1]) > Quantum case 


else if S = call proc[i](s) and (s,1) Je) [] then 
Cel > Nil call 


else if S = call proc[i](s) and (s,1) Ņem) V €[] and (i,!) 4z n then 
if widthp(proc) = 0 then 


C + compr(D :: SP’°°{n/x}, l’, cs) > Non-recursive call 
else if widthp(proc) = 1 then 
C + optimize(D, [(cs, SP*°°{n/x})], proc, l’, {}) > Recursive call 
end if 
end if 
return C 


Given a control structure cs and a statement S, a controlled statement is 
a pair (cs,S) € Cst = (N — {0,1}) x Statements. Intuitively, a controlled 
statement (cs, S) denotes a statement controlled by the qubits whose indices are 
in dom(cs). For a unitary gate U € Han —> Hon, a control structure cs, and a 
list of pointers 1 = [a1,...,an] E€ £(N) such that {z1,..., £n} N dom(cs) = 0, 
U(cs,l) denotes the circuit applying gate U on qubits G[zi],..., G[zn], whenever 
Ym € dom(cs), G[m] is in state |cs(m)). As demonstrated in [11], this circuit 
can be built with O(card(dom(cs))) elementary gates and ancillas, and a single 
controlled-U gate. 


A Programming Language Characterizing Quantum Polynomial Time 171 
al] 
EE 
3] qls] 
] -pE |0) 
U = 
5] — qla] a 


als] 


Fig. 4: Example of circuit U (cs, 1) 


Example 5. As an illustrative example, consider a binary gate U and a control 
structure cs such that dom(cs) = {1,2,3}, cs(1) = cs(2) = 1, and cs(3) = 0. 
Also consider a list | = [4,5] € £(N). The circuit U (cs, l) is provided in Figure 4. 


Similarly, we can define a generalized Toffoli gate as a circuit of the shape 
NOT (cs, n). Since card(dom(cs)) will not scale with the size of the input, such 
a circuit has a constant cost in gates and ancillas and can thus be considered 
as an elementary gate. We will also be interested in rearranging wires under a 
given control structure. For two lists of qubit pointers l = [a1,..., £n], lo = 
[xi,...,2,] E€ L(N), define SW AP(cs, 11,12) as the circuit that swaps the wires 
in lı with wires in l2, controlled on cs. This circuit needs in the worst case one 
ancilla and O(n) controlled SW AP gates (also known as Fredkin gates). 

Let D = D(Procedures x Z x N — N x L(N)) be the set of dictionaries 
mapping keys of the shape (proc, i, j) to pairs of the shape (a,l), where i is the 
value of a classical parameter, j is the size of a sorted set, and a is a qubit index. 
We will denote the empty dictionary by {}. Let also a + new ancilla() be an 
instruction that sets a to a fresh qubit index. 

The subroutine optimize (Algorithm 2) treats the complex cases where cir- 
cuit optimizations (merging) are needed, that is for recursive procedure calls. It 
takes as input a sequence of procedure declarations D, a list of controlled state- 
ments lcst, a procedure name proc, a list of qubit pointers l, and a dictionary 
Anc. The subroutine iterates on list lcst of controlled statements, indicating the 
statements left to be treated together with their control qubits. When recursive 
procedure calls appear in distinct branches of a quantum case, the algorithm 
merges these calls together. For that purpose, it uses new ancilla qubits as con- 
trol qubits. Given procedure calls of shape call proc{i](s);, with respect to a 
given list l € L(N), such that (i, l) 4z 7, (s,J) Je) V, and (|s|,1) Yn j. If the key 
(proc, i, j) already exists in the dictionary Anc, the associated ancilla is re-used, 
otherwise, Anc[proc, i, 7] is set to (a,l’). We can assume w.l.o.g. that the state- 
ment controlled on the ancilla can be treated only after all the re-uses of the 
ancilla. This can be done without increasing the total complexity of optimize. 

Some extra ancillas e are also created for swapping wires and are not explicitly 
indexed since they are not revisited by the subroutine, and are just considered 
unique. Ancillas a and e are indexed and treated as input qubits, therefore they 
can be part of the domain of control structures. 
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Algorithm 2 (optimize) Build circuit for recursive procedure proc 
Inputs: (D, lcst, proc, l, Anc) € Decl x £(Cst) x Procedures x L(N) x D 


CL + 1; Cr & 1; P< D :: skip; 
while lcst 4 [] do 
(cs,S) + hd(last); lost + tl(last) 


if S = Sı S2 then 
if wp °°(S1) = 1 then 
lcst < lcst@[(cs, S1)]; Cr < compr (D :: S2, l, cs) o Cr 
else 
lost < lost@[(cs, S2)]; Ct + Cr o compr(D :: S4,l, cs) 
end if 
end if 


if S = if b then Strue else Sfaise and (b, 1) {e b then 
if wp ° (S+) = 1 then 
lost + lost@[(cs, S+ )] 
else 
Cr + Cyr o compr (D :: Sa, l, cs) 
end if 
end if 


if S = qcase s|i] of {0 > So, 1 > Si} and (s|i], l) Yn n then 
if wp°°(So) = 1 and wp*(S1) = 1 then 
last + lcst@[(cs[n := 0], So), (es[n := 1], S1)] 
else if wp (S1) = 0 then 
lest + lcst@[(cs[n := 0], So)]; 
Cr + compr (D :: S1, l, cs[n := 1]) o Cr 
else if wp (So) = 0 then 
lost +} lest@[(ces[n := 1], S1)]; 
Cr + compr (D :: So, l, cs[n := 0]) o Cr 
end if 
end if 


if S = call proc'[i](s) and (s,1) eœ) V # [] and (i, l) Jz n then 
if (proc’,n, |l’|) E€ Anc then 
Let (a, l”) = Anc[proc’,n, |l/|] in 
e + new ancilla(); 
CL + Cr o NOT (cs,e) o NOT(-[e = 1], a) o SWAP(-[e = 1], 1,1”); 
Cr «+ SWAP(-[e = 1],1”, l) o NOT(-[e = 1], a) o NOT (cs, e) o Cr 
else 
a + new ancilla() 
Anc[proc’,n, |l’|] + (a, l’); 
CL + Cr o NOT (cs,a); Cr 4+ NOT (cs, a) o Cr; 
lost 4 lest @[(-[a = 1], SP" {n/x})] 
end if 
end if 
end while 
return Cz o Cr 
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Theorem 8. For any P in PFOQ, there is Q € NIX], Yn € N, Vid) € Han, 
[P](wv)) = £n o [compile(P, n)] o Xen) (lY) and #compile(P,n) < Q(n). 


Example 6. compile(QFT, n) outputs the circuit provided in Example 1. Notice 
that there is no extra ancilla as no procedure call appears in the branch of a 
quantum case. 


Polynomial-size circuits. We show Theorem 8 by exhibiting that any exponen- 
tial growth of the circuit can be avoided by the compile algorithm using an 
argument based on orthogonal control structures. With a linear number of gates 
and a constant number of extra ancillas, we can merge calls referring to the same 
procedure, on different branches of a quantum case, when they are applied to 
sorted sets of equal size. An example of the construction is given in Figure 5 
where two instances of a gate U are merged into one using SWAP gates and 
gates controlled by orthogonal control structures. 


Fig. 5: Example of circuit optimization. 


The following proposition shows that multiple uses of a gate can be merged 
in one provided they are applied to orthogonal control structures. 
Lemma 4 For any circuit Cn & o8_,U(cs;,l;), with a unitary gate U, pairwise 
orthogonal cs1,...,c8% E€ Cst, andl,,...l, E€ L(N), there exists a circuit C using 
one controlled gate U, O(kn) gates, and O(k) ancillas, and such that [C] = [Cn]. 
Now we show that orthogonality is an invariant property of compile. 


Lemma 5 Orthogonality is an invariant property of the control structures in lost 
of the subroutine optimize. In other words, for any two distinct pairs (cs,S), 
(cs’, 8’) in lost, cs and cs’ are orthogonal. 


Theorem 9. For any P in PFOQ, compile(P,n) runs in time O(n?!P!+1), 


Proof. Using Lemma 4 and Lemma 5. 


As there is no circuit duplication in the assignments of compile, we can 
deduce from Theorem 9 that the compiled circuit is of polynomial size. 


Corollary 1. For any P in PFOQ, there exists a polynomial Q € N[X] such that 
#compile(P,n) < Q(n). 
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Abstract. This paper presents a similar approach for existential first- 
order characterizations of the languages recognizable by finite automata, 
by Parikh automata, and by multi-counter machines over the alphabet 
{0,1,...,4 — 1}” for some k > 2. The set of k-FA-recognizable relations 
coincides with the set of relations, which are existentially definable in 
the structure (N;0,1,+,&x,=), where & corresponds to the bitwise 
minimum of base k. In order to obtain an existential first-order descrip- 
tion of k-Parikh automata languages, we extend this structure with the 
predicate EqNZB,,(x,y) which is true if and only if x and y have the 
same number of non-zero bits in k-ary encoding. Using essentially the 
same ideas, we encode computations of k-multi-counter machines and 
thus show that every recursively enumerable relation over the natural 
numbers is existentially definable in the aforementioned structure sup- 
plemented with concatenation z = £ ^p y = z = x + k'*@™y, where 
l(x) is the bit-length of x in base k. This result gives us another proof 
of DPR-theorem. 


Keywords: Bitwise minimum - Biichi arithmetic - Parikh automata - 
Existential definability - Recursively enumerable sets - DPR-theorem - 
Concatenation 


1 Introduction 


In a recent paper [11], Haase and Różycki considered definability problems in 
k-Biichi arithmetic, an extension of Presburger arithmetic with a relation Vk such 
that V(x, y) if and only if x is the largest power of k that divides y. They proved 
that there are relations which are definable in k-Biichi arithmetic (k-definable) 
and not definable by any existential formula of the corresponding language. By 
a slight modification of a theorem of Villemaire [24, Corollary 2.4], they show 
that every k-definable relation can actually be expressed via some 4V-formula, 
whereas Villemaire constructs a 3V-formula. 

Biichi arithmetic of base k > 2 can be considered as a first-order characteri- 
zation of the languages, recognizable by finite-state automata over the alphabet 
{0,1,...,4 —1}” (called k-FA-recognizable). Interpreting the words of this lan- 
guage as tuples (21,..., £n) of natural numbers in base k encoding, we obtain the 
Biichi-Bruyére theorem [3,5], which states that every relation R C N” is k-FA- 
recognizable if and only if it is k-definable. A second-order version of this theorem 
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(which was proved independently by Biichi [5], Elgot [9], and Trakhtenbrot [22]) 
says that every relation is 2-FA-recognizable iff it is weak monadic second-order 
(WMSO-)definable in the structure (N; S}, where S is a unary function sym- 
bol for the successor function over the natural numbers. The WMSO-theory of 
(N; S) is usually denoted by WSIS. 


Coming back to the Villemaire’s result, we see that his encoding of k-FA 
via 4Va-formulas of the language of k-Biichi arithmetic uses a unique bounded 
universal quantifier. A similar construction often appears in logical descriptions 
of abstract machines. For example, Klaedtke and Ruef considered in [16] various 
definability and decidability properties for WMSO-formulas with successor S 
and cardinality constraints of the form |X1|+...+|X,| < |Yi] +... + |Ys|; the 
corresponding WMSO-theory of N was denoted by WS1S°"¢. They introduced 
Parikh automata, an extension of finite automata, and obtained an analogue of 
Biichi’s Theorem, namely every relation recognizable by a Parikh automaton over 
the alphabet {0, 1}” is existentially WMSO-definable in N with S$ and cardinality 
constraints, and vice versa. Here, only second-order variables are existentially 
quantified, while the formula, which describes a computation of a given Parikh 
automaton, still contains a universally quantified first-order variable (see [16, 
Theorem 10], where the universal quantifier Vz can be bounded by the maximal 
element of the existentially quantified second-order variable U). 


Note that while WS1S is decidable, WS1S°" is already undecidable, and 
its decidable fragments [16, Theorem 16] were obtained as a consequence of 
decidability of the emptiness problem for Parikh automata. Translating these 
undecidability results into first-order context, Bés showed [2, Proposition 3.8] in 
particular that the graph of multiplication function is definable in the structure 
(N; 0,1, +, V2, EqgNonZeroBits, =), where EqNonZeroBits(x,y) is true iff x and 
y have the same number of non-zero bits in their binary representations. This 
implies undecidability of the first-order theory of this structure, but it is not 
known, for example, whether the existential first-order theory is decidable. In 
the concluding section [2], Bés remarks that “it would be interesting to study 
the expressive power of fragments of FO arithmetic which include predicates like 
EqNonZeroBits”. We will further shorten the name of this predicate to EqNZB. 


The Davis-Putnam-Robinson theorem (DPR-theorem) [8] was a milestone in 
the undecidability proof of the Hilbert’s Tenth Problem. This theorem states 
that every relation R C N” is recursively enumerable (r.e.) if and only if it 
is existentially first-order definable in the structure (N;0,1,+,-,exp,=) (these 
relations are also called exponential diophantine). As the starting point, the proof 
uses the result of Davis |7], which states that every r.e. set is IVi-definable in the 
structure (N;0,1,+,-,=) with one bounded universal quantifier. It is important 
for us that elimination of this quantifier in the proof of DPR-theorem involves 
multiplication, factorial, binomial coefficients, and does not seem useful when we 
try to eliminate bounded universal quantifier in weaker structures. However in 
1976, Matiyasevich presented an alternative proof of DPR-theorem [19] by purely 
existential encoding of computations of Turing machines, which thus gives us 
another approach for eliminating bounded universal quantifier [20, Section 6.1]. 
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It is easy to modify the final steps of Matiyasevich’s proof in order to obtain 
an existential formula of the language with 0, 1, addition, bitwise minimum &, 
and concatenation ^, where t = x œ y = t = #+2!@)y and I(x) is the bit-length 
of x. Kummer’s lemma [18] then plays a crucial role, since it gives an exponential 
diophantine representation of bitwise minimum (see also an exponential diophan- 
tine representation of masking relation =< in [14]). Note that it is not difficult 
to define & in the structure (N;0,1,+,V2,=) by a formula with one bounded 
universal quantifier, whereas there is an existential formula that defines V2 in 
(N;0,1,+,&,=). This suggests the question whether every 2-FA-recognizable 
relation is existentially first-order definable in (N;0,1,+, &, =). 

In Theorem 1, we show that every relation is actually k-FA-recognizable if 
and only if it is existentially definable in the structure (N;0, 1, +, &k, =), where 
&, corresponds to the binary bitwise minimum operation of base k. The same 
approach is applied in Theorem 2 to obtain an existential first-order charac- 
terization of the languages, recognizable by Parikh automata over the alphabet 
{0,1,...,4—1}". In this case, the structure must be extended by the binary 
predicate EqgNZB,,, which is true for those pairs of natural numbers (x,y) such 
that x and y have the same number of non-zero bits of base k. 

Applying essentially the same ideas as in Theorem 1, we are able to show in 
Theorem 3 that every relation R C N” is recognizable by multi-counter machines 
over the alphabet {0, 1, ..., k — 1}” if and only if it is existentially definable in the 
structure (N;0, 1, +, &%,-%,=), where z = z ^p y = z = x + k*@y and I(x) 
is the bit-length of x in base k. Since such machines recognize exactly r.e. sets, 
this provides yet another [14,19,20] proof of DPR-theorem by purely existential 
arithmetization of abstract machines. 


2 Definitions and the main example 


This section recalls some basic definitions from logic and automata theory, which 
will be used in the sequel. Then we illustrate the main idea of the existential 
characterisations constructed in Sections 3 and 4. 


2.1 Definability and automata 


First-order definability. The domain of all the structures considered in this 
paper will be the set of natural numbers N = {0,1,2,...}, and we will consider 
existential definability in some extensions of (N;0,1,+,=). 

Denote by Lo the first-order language of some signature ø. An L,-formula 
y is existential if it has the form Jzy(z, y), where y(z,y) is a quantifier-free 
L,-formula. Here, x denotes a list of variables 71,...,7,. We say that an n-ary 
relation R over N is first-order (FO-)definable in the structure (N; o) if there 
exists an L,-formula (T) such that for every a € N” we have R(@) if and 
only if y(@). When the formula y(%) is existential, the corresponding relation 
is called existentially first-order (AFO-)definable, and similarly for the case of 
quantifier-free formulas, universal formulas and other quantifier prefixes. We will 
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subsequently write the prefix “FO” in the cases where we also discuss second- 
order definability, and in general it will be omitted. 

In this paragraph, we focus on definability in the structure (N;0,1,+, Vk, =), 
where k > 2 is an integer, and V; is a binary relation such that V(x, y) if 
and only if x is the largest power of k dividing y. Biichi arithmetic of base k 
is the first-order theory of this structure. The relations definable in this struc- 
ture are called k-definable. Recall that for every multiplicatively independent 
integer | > 2 (ie., k* A I? for every positive integers a,b), V; is not definable 
in (N;0, 1, +, Vk, =) [23,24] (see also a generalization of this result by Bès [1]). 
In the following, we consider some fixed base k. Let & be the binary bitwise 
minimum operation of base k, where we assume that the natural number of 
smaller bit-length is supplemented with a sufficient number of leading zeros. For 
example, we have 120202 &3 21201201 = 100201. It is not difficult to prove the 
following lemma. 


Lemma 1. Every relation is k-definable if and only if it is definable in the 
structure (N;0, 1, +, &,=). 


Proof. In order to define bitwise minimum, for every j € [0..k — 1] we use the 
relation Xx (x,y), which is defined as “x is a power of k and the coefficient of 
this power of k in the representation of y in base k equals j”. There is a simple 
existential formula for this relation in [4,11,24]: 


Xp jlx, y) = Vile, 2) Adestduly = z+jæ+t^z < fA =0V(V,(u,t)Ag < u))), 


where z < y = dz(y = x +z + 1). Therefore, the graph of bitwise minimum can 
be expressed by a formula with a universal quantifier 


a r&y = Vt VAN (Xealé, x) ^ Xk,j (t, y) © Xk minți, j) (t, z)) š 
(4,9) €[0..k—-1]? 


For the converse, by using monus z = x — y = (z = 0A g < y) V (£z =z +y) 

define the set of powers of k by the formula P(x) & (ka —1)&, z = x^nr = 0 

Finally, we have V(x, y) = Pr(a)A V (kz-l1)&ky= jr. 
je[1.-k—-1] 


? 


We see that Xz, (x,y) can be defined in (N; 0, 1, +, &x, =) by the quantifier- 
free formula P(x) A y&,u = jx. Let A(x) be the greatest power of k less 
or equal to x when x > 0, and A(0) = 1. Formally, we have the definition 
y = àk(£) & (x = OAy = 1)V (Pa ly) Ay < «Aa < y). Now an analogue of bitwise 
negation can be defined as follows: ~p (y, x) = (kAk(y) — 1) — z&r(kàg(y) — 1). 
Here, ~p (y,x) has the same bit-length as y, and we assume that &; has a 
higher precedence than + or monus. For our purposes, it is useful to include in 
the signature a binary function symbol for bitwise maximum 


z = z|ky © (x£ < y Az =~p (Y, ~k (Y, £)&k ~k (y, y))V 
(y < £ Nz =~p (£, ~p (£, £)&k ~k (2, y)). 
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We will write ~; with some fixed natural number n for the function whose graph 


is quantifier-free definable by the formula y = fr @ k"y <a@Aa <k"(y+1). 
The function 1,(y) gives a natural number of the same bit-length with y, but 
with all k-ary digits equal to one: x = 1;,(y) (k — 1)x = kA, (y) — 1. For 
notational convenience, let us introduce a binary predicate symbol =<; such that 
T Sk Y = t&y = x. The following lemma summarizes these definability results 


and will be implicitly used in the next sections. 


Lemma 2. The predicates Pk, Vk, Xk j, <, < and the graphs of functions —, 
Ak, ~k, Lk, |k, and zx for every fixed n > 1 are 3-definable in the structure 
(N; 0, Ik, Fa &k, =). 


The existential encoding of k-automata in Subsection 2.2 uses a 4-definable 
function, which echoes a construction that was applied by Matiyasevich [19] in 
his arithmetization of Turing machines. For every a € [1..k — 1] the function 
Ok, a(x) substitutes 1 for every digit of x equal to a, and 0 otherwise. Then, the 
graph of this function is defined as follows: 


y= Ok alz) < IL1--ITk i A Lj KRU; =O0A 
1<i<j<k-1 


(£1 +... tin) Sk ele (1) 


z1 +22 +... + (k — 1)£k—1 =sAy=ta): 


Note that each digit in the k-ary representation of every quantified variable in 
(1) is either 0 or 1. Moreover, if we denote 14(x) = r&1;(x) then the sum 
ry +.. + 2-1 is exactly 1;(z). In the case of digit zero, the function O;,9 has 
an extra parameter that specifies the number of leading zeros, which must be 
replaced by ones: 

y = Ok, o(t, £) > y = 1e(t) — 14 (2). (2) 
In particular, when A(t) < Ax(x), we always have Ox, 0(t, x) = 0 and otherwise 
we obtain, for example, O3.9(100000, 1020) = 110101. 


Remark 1. In Subsection 2.2 and Section 3 it is convenient to write Ox a(t, £) 
instead of Ok a(x) when a € {1,...,k — 1}. In Section 4 there is no need to 
consider auxiliary zeros, and we use Oķ,a with a single parameter assuming that 
Ok, o(£) = Ok, o(x, £). 


We conclude this paragraph by defining a set of natural numbers 14(N) = 
{1,(z) | x € N}. This definition will be useful in the next paragraph. 


Second-order definability. Similarly to Bés [2], let us denote by F the set 
of finite subsets of N and also define a function cod, : F” — N” which maps 
every tuple (X1,...,Xn) € F” to the tuple of non-negative integers cod,(X) = 
(>> kt,..., X k*). We see that the image of cod; is 14(N). This function estab- 
ieX i€Xn 

lishes a connection between first-order definability and weak monadic second- 
order (WMSO-)definability in (N; S) in the following way. 
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Recall that WMSO-language LWMSO allows to quantify over finite subsets of 
the domain, and its signature o has auxiliary binary predicate symbol € for the 
membership relation x € X. Again, let the domain of our structures be the set of 
natural numbers N. Then a relation R C F” is WMSO-definable in the structure 


(N; o) if there exists a LWMSO-formula y(X1,..., Xn) such that R(A) = y(A) 
for every A € F”. As was explicitly shown by Villemaire [23, Theorem 3.3], 
every relation R C F” is WMSO-definable in the structure (N; S} if and only if 
codz(R) is FO-definable in (N;0, 1, +, V2, =). 

Note that cod, is bijective only in the case k = 2 when we have 12(N) = N. 
In the case when k > 2, we can transfer FO-definability results for exten- 
sions of k-Biichi arithmetic to their WMSO-definability analogues using the 
function cod, : N + F*~! which maps every x € N to the tuple cod;(r) = 
(cody, (Ok, 1(£)), «.., cod; '(Ox,~-1(z))). This function can obviously be extended 
such that cod; : N” > (F We use cod; to establish a relationship be- 
tween JFO-definability in (N;0,1,+,&,, EgNZB,,,=) and JWMSO-definability 
in (N; S) extended with cardinality constraints of the form |X| +... + |X,| < 
|Y¥i|+...+]Y.]. Section 3 focuses on the existential definability in these structures 
and recognizability by Parikh automata [16]. We say that R C F” is existentially 
(A)WMSO-definable in the structure (N; o) if there exists an LWMSO-formula 
AY (X,Y), where y(X,Y) may include arbitrary first-order quantifiers, such 
that for every A € F” we have R(A) if and only if SY (A, Y). 

The following lemma shows that it is sufficient to extend (N; S) with the 
relation EqCard(X,Y) = |X| = |Y | to reason about JWMSO-definability in N 
with successor $ and cardinality constraints. 


Lemma 3. Every cardinality constraint |X1| +... + |X,| < [Yi] +... + |Y] is 
existentially WMSO-definable in the structure (N; S, EqCard). 


Proof. Let us first define the graph of N using a formula with one universal 
first-order quantifier Va(a € Z & x € X Ax € Y) (and analogously, the graphs 
of union Z = X UY and difference Z = X \ Y) and the empty set X =o 
Va(na € X). 

Now it is not difficult to see that 


Pap wes alan t SUAVAX}..AXVAY]...aYs ( 


r 


A XN X; =A A EqCard(X;, X{)^ 


1<i<j<r 1<i<r 
A Y QY =0A \ EqCard(Yi,Y;) A (3) 
l<i<j<s 1l<i<s 
U xisuan U ¥/=VAUNV=UA-(V\U=0)). 
1<i<r 1l<i<s 


The following fact is an analogue of Villemaire’s theorem [23]. Note that 
when k = 2 the function cod is exactly bod, 
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Proposition 1. (i) If a relation R C F” is existentially WMSO-definable in 
the structure (N; S, EqCard) then cod;(R) is existentially FO-definable in 
(N;0, 1, +, &, EgNZB,,,=). 

(ii) If a relation R C N” is 3FO-definable in (N;0,1, +, &p, EgNZB,,,=) then 
cod;(R) is IWMSO-definable in (N; S, EqCard). 


The proof of this proposition is rather straightforward and follows along similar 
lines as the proof of Villemaire’s theorem. Only notice that in order to deal with 
universal FO-quantifiers in (i), we apply Corollary 1 from Subsection 2.2. 

Klaedtke and Ruefs show in [16] that every relation R C F” is existentially 
WMsSO-definable in the structure (N; S, EqCard) if and only if it is recogniz- 
able by some Parikh automaton over the alphabet {0,1}. By reduction to the 
emptiness problem for Parikh automata, they show that satisfiability of exis- 
tential WMSO-formulas in the structure (N; S, £qCard) is decidable. The next 
paragraph gives the necessary definitions. 


Automata languages. Biichi-Bruyére’s theorem [4,5] states that every rela- 
tion is first-order definable in the structure (N;0, 1, +, Vk, =) if and only if it is 
recognizable by a finite k-automaton. Haase and Różycki [11] prove that this 
statement is however not true if we consider existential first-order definability in 
(N;0, 1, +, Vk, =). We first recall some automata-theoretic definitions and then 
show that substituting &, for Vp yields the desired existential description of 
k-recognizable sets. 

Let X be some alphabet and X* denote the set of words of finite length over 
X with a unique empty word € of length 0. Then a (non-deterministic) finite X- 
automaton (X-FA) is a 4-tuple A = (Q, qo, F, ô), where Q = {qo, ..., qs } is a finite 
set of states with initial state qo and the set F C Q of finial states; 6: Qx X —> 2@ 
is the transition function, where 2° is the power set of Q. A configuration of A 
is a pair (q, x), where q € Q is a current state and x € X* is an unused part of an 
input word. A transition relation — over configurations of A is defined such that 
(q,ax) — (q',x) if and only if q’ € (q,a). A sequence of transitions between 
configurations is called a computation of A. We say that x = xox- x, € XH! 
is accepted by a given X-FA A if there is an accepting computation of A for 
x, that is, a sequence (qo, o%1...0¢4) —> (q, £1.24) > — (q", xt) > (Gf, 6) 
for some qf € F. The set of all words x € X* accepted by X-FA A defines the 
language recognizable by this automaton. This language is denoted by L(A). 

A finite k-automaton (k-FA) is defined as a X}-FA, where every letter 
from X? is an n-tuple of digits from Xp = {0,1,...,4 — 1}. To each language 
L C (7?)* there corresponds a relation Rz over N” in the following way: 
Rr = {Xo vik’ | £o: x, € L}. An n-ary relation R over N is called k-FA- 
recognizable if there exists a k-FA A such that for every a € N” we have 
R(@) = Ry4)(@). For technical convenience, the notion of k-recognizability 
is commonly defined [4,23,24] for deterministic k-FA (k-DFA), where for every 
state q and letter a € X? it holds that |d(¢q,a)| < 1. Since Y-FA and Y-DFA 
recognize the same class of languages [17], i.e. the class of regular languages 
over the alphabet X, this restriction does not change the class of recognizable 
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relations. In our logical characterization of k-FA-recognizable relations we will 
not benefit from such restrictions on the transition function. 

The definition of X-FA can be extended by adjoining to every letter of X a 
vector v € D, where D is a finite subset of N”, and imposing certain restrictions 
on the accepting sequences of transitions to obtain Parikh finite automata (X- 
PFA). That is, for some m > 0 and a finite set D C N”, a X-PFA isa pair (A, p), 
denoted by Ap, where A is a (X x D)-FA and 9(21,...,%) is an existential 
L(0,1,4,=)-formula. It is convenient to think of a configuration of ©-PFA as an 
(m-+2)-tuple (q, £, Y1, ---; Ym) where the pair (q, x) is the same as in the definition 
of configurations of X-FA, and (y1,...,Ym) is a vector from N™. A transition 
relation between two configurations of Y-PFA A, is now defined as follows: 
(4, AX, Y1; Ym) > (q, £, yr td, ---, Ym +dm) if and only if q' € 6(q, a, d1, ...,dm). 
A word x = ro21---a E€ X'+! is accepted by Ay if there is a computation 
(qo, €o%1 +++ 4,0, ...,0) > (r E1 Et Yi Un) Do SQ et yf uf) > 
(qf, €, Y1, +++; Ym) for some qs € F and the formula y(y1, ..., ym) is true. We denote 
by L(A,) the language recognizable by X-PFA Ay. 

In order to deal with definability over the natural numbers, we again con- 
sider X}-PFA, which we call a k-Parikh finite automata (k-PFA). The k-PFA- 
recognizable relations R € N” are defined analogously. The prefixes X- and 
k- will be sometimes omitted when the exact alphabet X or value of k is not 
significant. 

The original definition of Parikh automata [16] uses semi-linear sets C C N‘ 
instead of existential formulas of Presburger arithmetic, but it is well-known [10] 
that these definitions of PFA are equivalent. The main result by Klaedtke and 
Ruef§ |15, Theorems 12 and 15] states that every relation R C F” is JWMSO- 
definable in the structure (N; S, EqCard) if and only if the relation cod; (R) is 
2-PFA-recognizable. The “only if” part of this WMSO-characterization follows 
from the fact that the class of languages recognizable by PFA is closed under 
union, intersection, left and right quotients [15, Property 4] and that EqCard 
with its negation are recognizable by 2-PFA. Since it is easy to construct k-PFA 
for the predicate EqNZB,, and for its negation, the following proposition can be 
proved in a similar way. 


Proposition 2. If some relation R C N” is existentially FO-definable in the 
structure (N;0,1,+, &,, EgNZB,,, =) then it is k-PFA-recognizable. 


Based on Parikh’s theorem [21], Klaedtke and Ruef proved decidability of 
the emptiness problem for PFA, and thus decidability of the existential WMSO- 
theory of (N; S, EqCard)}. They also proved that the universality problem for 
Parikh automata is undecidable. In contrast to finite automata, deterministic 
Parikh automata, where for every (q,a) € Q x X} there exists at most one pair 
(q',d) € Q x D such that q! € d(q,(a,d)), are less powerful than PFA. The 
paper by Cadilhac, Finkel and McKenzie [6] provides some explicit examples 
of languages recognizable by PFA but not by any deterministic PFA. These 
authors continued the study of other properties of PFA and, in particular, proved 
undecidability of the regularity property for PFA. This result will be used in 
Section 3. 
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2.2 Existential characterization of k-FA-recognizable languages 


In this section we illustrate the main idea of the existential characterisation from 
Section 3. Our aim now is to prove the following theorem. 


Theorem 1. For an integer k > 2 every relation is k-FA-recognizable if and 
only if it is existentially definable in the structure (N;0,1,+, &z,=). 


Proof. Let A = (Q,q0, F,ô) be a k-FA. We are going to prove existential defin- 
ability of the relation Rz(4) in the structure (N;0,1,+,&,=) by encoding the 
existence of an accepting computation of A when the input word is the k-ary 
representation of © = £1, ..., £n. To this end, let us first introduce new variables 
G = qo, -qs for every state qi E€ Q; for a state p € Q, we denote by v(p) its 
number from [0..s]. The following restriction on q expresses the fact that at each 
step of a computation the automaton A has a unique state from Q: 


K;(t,q) = VAN qi&kqj = OAGot+...+4s = Lk(t)^1 $k q0^ V t Xk Gp): (4) 
O<i<j<s per 
Here t will be another existentially quantified variable that will be a power 
of k. This variable corresponds to a configuration (p,¢) for some p € F, and 
formula (4) also requires that the computation starts in the state qo. It is obvious 
that t must be greater than x; for every i € [1..n]; this restriction will appear in 
the resulting formula below. 
In order to express the fact that each step of a computation is performed 
in accordance with the transition function 6 : Q x Xp > 22, we introduce a 
predicate Ai, q). For every pair (p,a@) E€ Q x X}, we have 


eee: dv 
A(p,a) (t,q, T) = (a & i Oka; =) Sk ( l, 2) , (5) 


i€[1..n] pEo(p,a) 


where, by definition, | , Y = 0. From this formula we see that at each step of an 


yeo 
accepting computation there are either no configurations with the state p and 


a word starting with the letter @ = (a1,...,@n), or in the next configuration the 
state will be from 6(p,a@). By combining formulas (4) and (5), we conclude that 


Rra) > (Pele) A zi <tAK,(t, QA \ Bega (ty; zj): (6) 
i€[1..n] (p,ajEeQx IR 


It remains to use formulas (1) and (2), Biichi-Bruyére’s theorem and Lemmas 1 
and 2. 


Corollary 1. If a relation is definable in the structure (N;0,1,+,&x,=) then 
it is existentially definable in this structure. 


This result for k = 2 can be transferred to the second-order case similarly 
to Proposition 1. Thus, we obtain a corollary, which was essentially proved by 
Elgot [9, Theorem 5.3 (b)]. 


Corollary 2. If a relation R € F” is WMSO-definable in the structure (N; S} 
then it is existentially WMSO-definable in this structure. 
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3 First-order characterization of Parikh automata 


The aim of this section is to prove the converse statement to Proposition 2 
and thus obtain an existential first-order characterization of Parikh automata 
languages. Parikh map over the natural numbers can be defined as a function 
Bp : N + N¥ such that p(x) = (#p o(x), ---, Æk k-1(£)), where every function 
#r,; counts the number of occurrences of the digit 7 in k-ary representation of x. 
For such counting functions we have the following lemma. 


Lemma 4. Let R(£1,...,£n) be a relation that is existentially definable in the 
structure (N;0,1,+,=), and let @ be some vector from {0,...,k—1}". Then the re- 
lation R(#k,a,(@1), --) #k,ay,(@n)) is -definable in (N;0,1,+, &%, EgNZB,,, =). 


Proof. It is sufficient to define the relations #%,a(x) = d for integers d > 0 and 
Hk alx) + #x.0(Y) = #k,c(Z) by some existential formulas. For the first relation 
we have the formula EgNZB,(@x,a(x),k? — 1), and for the second one there is 
the following first-order analogue to formula (3): 


#k,a(t) + #k oly) = #k,c(z) & da’dy’(EgNZB,(2' + y’, Ox,c(z))A 
z' & py! =0A EqNZB,(Ok,a(2), 2’) ^A EqNZB, (Ox o(y),y')): 


It remains to use existential definability of the graph of Ok, in the structure 
(N; 0,1, +, &k, =). 

Note that every function #;,; can be represented in terms of Subsection 2.1 
as #p il£) = |cod,'(@,,;(x))|, and thus this lemma can also be proved using 
Lemma 3 and the first part of Proposition 1. 


Let D be some finite subset of N”, and let M(D) be the maximum inte- 
ger occurring in D. The same as Klaedtke and Ruefs [16], we encode vectors 
from D of a given k-Parikh automaton by introducing M(D) + 1 new variables 
Yi,0.---sVi,m(D) for each coordinate y;. For every i € [1..m], these variables will 
be pairwise disjoint (i.e. yi;,&eyij, = 0 for jı A j2) and their representation in 
base k will contain only zeros and ones. For this reason, we use only #%,1 in our 
encoding and denote #k = #x,1- 


Theorem 2. For every integer k > 2 a relation R C N” is k-PFA-recognizable 
if and only if it is 4-definable in the structure (N;0,1,+, &,, EgNZB,,, =). 


Proof. The “if” direction of this theorem is Proposition 2. In the proof of the 
“only if” direction, suppose we are given a k-Parikh automaton A, for some 
finite set D € N”, where A = (Q, qo, F,5) is a FA over the language X} x D and 
y is an existential L(o,1,+,=)-formula. We are going to construct an existential 
L(0,1,4,&,EqNZB,,=)-formula w such that Rz(4,)(@) if and only if (a) for every 
a € N”. Again, Y(T) will encode the existence of an accepting computation of 
A, when the input word is the k-ary representation of 7T. 

The sequence of states from an accepting computation of A can be encoded 
using the predicate K;,(t,@), defined by the existential L;o,1,+,&,,=)-formula (4). 
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We modify formula (5) so that it works with the alphabet X? x D. To this end, 
let us introduce m(M(D) + 1) variables Y = y1,0;--:;Y1,M (D) Ym,0;Ym,M(D) 
such that for every 7 € [1..m] it holds that 0;(¢, yi,o, --, Yi, m(D)); where 


Ort, yo ym) = N Yikryj =OA yo +... + ym = l(t). 
0<i<j<M 
Now for every (p,a, d) € Q x X? x D we have: 
Apad) (t,q, 0,9) = (avin) Sn & Ora; (t, vi) & & i, Visa) k 


i€[1..n] jE[1..m] 


Recall that the expression with bitwise maximums | Ps evaluates to zero when 
6(p,a,d) = 0. 

By combining all the parts of the existential definition of Rz(4,), we get the 
following analogue to formula (6): 


(P) A N ti<tA Ket, q) 


Rrap) (T) S stags 
i€[1..n] 
\ Ok (t, Yi,0y ++) Yi,M(D)) A \ Apad) (t, q, T, y)^ 
i€[1..m] (p,@,d)EQx 5? XD 
e( XO Heleh DO cttu(Ume)) ): 
c€[1..M(D)] c€[1..M(D)| 


It remains to apply Lemma 4 to obtain the desired existential formula. 


This result gives us the following statement concerning decidability of frag- 
ments of the first-order theory of the structure (N;0,1,+, &k, EgNZB;,, =). 


Corollary 3. The existential theory of (N;0,1,+,&,, EgNZB,,,=) is decidable 
and the VA-theory of this structure is undecidable. 


Proof. The first part of the corollary is just a variation on the automata-theoretic 
techniques that were formalized by Hodgson [12]. It follows from the decidability 
of the emptiness problem for PFA. Undecidability of the universality problem, 
combined with Theorem 2, imply undecidability already for the problem of de- 
ciding Va-formulas with a single universal quantifier. 


Haase and Różycki [11, Conclusion] ask whether the property of 4-definability 
is decidable for the relations definable in the structure (N;0,1,+,V,,=). Using 
Theorem 1, this problem can be reformulated so that we consider only existen- 
tially definable sets, but now the signatures are different. Namely, the question is 
whether we can decide if a set 4-definable in the structure (N;0,1,+, Vk, &k, =) 
is 4definable in (N;0,1, +, Vk, =). A similar question can be answered in the 
negative for the structure with &;, and EqNZB,,. 
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Proposition 3. The problem of deciding whether a set existentially definable 
in the structure (N;0,1,+, &, EgNZB,,=) is J-definable in (N;0,1,+, &k, =) 
is undecidable. 


This follows from Theorems 1 and 2, and from undecidability of the regu- 
larity property for Parikh automata, which was proved by Cadilhac, Finkel and 
McKenzie [6, Proposition 7]. 

Parikh automata are closely related to multi-counter machines (MCM): they 
recognize exactly the same languages as reversal-bounded MCM [15, Section A.3] 
(see also [6, Subsection 3.3]). Recall that a MCM is reversal-bounded (the notion 
was introduced by Ibarra [13]) if there exists a pair of integers (r,s) such that in 
every accepting computation the value of each counter increases and decreases 
at most r times and the input head reverses at most s times. Theorem 2 now 
gives an existential first-order characterization of this restricted version of MCM. 
It is clear that the model of PFA is more suitable for our logical descriptions. 
However, as we will see in the next section, the behaviour of MCM can be 
described in a similar way when the structure is extended with concatenation. 


4 Multi-counter machines and DPR-theorem 


4.1 Two-way multi-counter machines 


Same as Ibarra [13], we define a two-way multi-counter machine M over an 
alphabet X (X-MCM) with two special symbols +, 4 as a tuple (m, Q, qo, F, ô). 
Here, m > 0 is the number of the counters of M, the triple (Q,qo, F) has 
its standard meaning, and 6 is a function from Q x (X U {F, 4}) x {0,1} to 
22x{-1.0,1}""" Every computation of M starts with an input z € S* written 
on the tape between the delimiters: F x 4, and the input head of M reading 
the left delimiter F. A configuration of M on an input F x + is given by an 
(m + 3)-tuple (q,F £ 4,7, y1,.--;Ym) denoting the fact that M is in state q, the 
read-only input head scans the i-th symbol of the input, and y1,...,ym are some 
non-negative integer values of the counters. The relation — over configurations 
is defined such that (q,+ a 4,7, y1,--;Ym) > (q, F £ 4, t+A, y1 +dı, -Ym tdm) 
if and only if (q’, A, di, ...,dm) E€ lq, a, [y1 > O],.-.; [Ym > 0]), where a is the i-th 
symbol of the input and [y > 0] returns 1 if y > 0, and 0 otherwise. A natural 
restriction on 6 prevents the cases when: (1) [y; > 0] = 0 and d; = —1; (2) i = 0 
and A = —1; (3) the i-th symbol of the input is 4 and A = 1. 

We say that x € X* is accepted by a given X-MCM if for the input word 
+ x 4 there is a computation (qo,/ Œœ 4,0,0,...,0) + ... + (qf,F x 4,0,0, ..., 0) 
for some qf € F. The set of all the words x € X* accepted by a X-MCM M 
defines the language recognized by this machine, which we denote by L(M). In 
order to properly relate Y-MCM with definability over N, we again assume that 
X = Xg for k > 2. Every x € X* is now an element of N” in the inverse base k 
representation. An n-ary relation R over N is called k-MCM-recognizable if there 
exists a 37'-MCM M such that for every a € N” we have R(@) @ Ry) (@)- 
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Two-way multi-counter machines can simulate Turing machines (see e.g. [17]), 
and thus every relation R over N” is r.e. iff it is k-MCM-recognizable. The aim 
of this section is to use the same arguments as in the cases of k-FA and k-PFA in 
order to obtain an existential characterization of r.e. relations, and Theorem 3 
gives us the desired result. The proof will be in some sense intermediate between 
the arithmetization of Turing machines by Matiyasevich [19] and the encoding of 
register machines by Jones and Matiyasevich in [14], but here we emphasize the 
role of concatenation in existential characterizations of multi-counter languages. 


4.2 The role of concatenation in DPR-theorem 


Matiyasevich’s proof [19] implicitly gives us a description of every r.e. set via 
4formulas of the first-order language with 0, 1, addition, bitwise multiplication 
&, concatenation ^z, and equality. Here, t = x ^p y = t = x + ky = 
x+kAp(x)y, where lp(x) is the length of x in k-ary notation. This section aims to 
prove this theorem using the ideas from Subsection 2.2. Informally speaking, the 
main difference between the case of k-MCM and k-FA is that we now consider 
bytewise multiplication instead of bitwise from Theorem 1. Suppose a given 
k-MCM accepts T € Xg and let M be the maximum value of all the counters 
of some accepting computation for T. If u is a power of k which is greater than 
the maximum of k™ and all the 2;, then lg(u) will be the size of the byte in our 
encoding. Every non-negative integer can be represented as a sequence of bytes 
of size 1, (uw), which will be called u-bytes. 

First, we introduce some auxiliary devices, which are required in our con- 
struction. Define the predicate A;(u,t,2), which is true when u is a power of 
k greater than k?, the variable x has the same u-byte-length as t and has the 
following form 


x = 1000...0 + *...0..010..0...000...001, 
—ra eo soo” 
Tx (u) In (u) In (u) 
where ** is either 10 or 01, and for every two consecutive u-bytes b1, b2 in x 
the only 1 in bg is either in the same place or one bit left/right of its position 
in bı. Moreover, the two most significant bits in every u-byte are equal to zero. 
We will use this predicate to describe a position of the input head and values 
of the counters in configurations of a given k-MCM. Before we proceed with 
the existential definition of this relation, we need to introduce some auxiliary 
functions. The first one performs the right shift by l(z) bits and can be defined 
via the formula y = = & dvdu(Ag(z) = uAAg(v) SUAT =u ^p y—Utv). The 
second function is Copy;(u, t,x) which maps to zero when \;(u) < A(x), and 
otherwise gives us the sequence of u-bytes of the same u-byte-length as t such 
that each u-byte is equal to x. The following lemma gives the desired definition, 
and then we immediately prove existential definability of Aj,(u, t,x). 


Lemma 5. The function Copy, is 4-definable in (N;0,1, +, &k, Ck, =). 


Proof. We start with the predicate Cpy,(«,y) which is true whenever y has the 
form £ 4, ... 0% T. Its definition is rather standard: 


Coy, (2, y) © y = £V Izy =£^p Z NY =Z Ak T). 
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The predicate [;,(u, x) @ x = 1VAy(Cpy; (Ag (u), y)Ax = ky+1) is an another 
special case of Copy, which is true when x is a sequence of u-bytes, each of which 
is equal to 1. Then, the minimum power of k of the same u-byte-length as x can 
be expressed as y = A;,(u,x) & du (Ilu, v) Au I aAumK,U>aAYy=Ax(v)). 

It is now clear that 


y = Copy, (u, t,x) & Alu) < Alz) Ay = OV Ag(u, y) = Ag(u,t) A 
(Arlu) = Ae) A Coy, y) V Ae(u) > A(x) A 3y'3y"( 


Coy,(a + Arlu), y) A Cpyp(àrlu) y”) A Akty) = Any") Ay = yl — y")). 


In this formula, the variables y’ and y” are introduced in order to supplement 
every u-byte with a sufficient number of leading zeros. 


Lemma 6. The relation Ap is 4-definable in (N;0,1,+, &,>%,=)- 


Proof. We are going to prove the correctness of the following definition: 


Arlu, t, £) & 3213z223£13x23£3 (Pe(u) Ak? < ur 


zı = Copy;,(u,t,1) A Ag (21) = An (x) A z&g(ku — 1) = 1 Az Xp lklz1)^ (7) 
k 
t= a) N T2 = = A T3 = hae An (a) + @& p01 + c& tq + a& a3 (8 
u u ku 
( 


) 
Ly pXQ = 0 A T2&kT3 = OA T2&kr3 = OA 9) 

z2 = Copyplu, t, u) A r& (zo + =) = 0). (10) 
Conjunction (7) expresses that is a sequence of the same number of u-bytes as t 
that starts and ends with the u-byte 000...01, and in every u-byte there can only 
be zeros and ones. Condition (10) specifies that the two most significant bits in 
every u-byte of x are equal to zero. Next, the variables x1, 72,73 correspond to 
the right shifts of x one u-byte plus D € {—1,0,+1}. Let us prove that in every 
u-byte there is a unique 1 and that it has the same position plus D € {—1,0,+1} 
compared to the previous u-byte. 

From (8), we see that in every u-byte of x there is at least one 1. Indeed, if 
x Æ u then the first u-byte of x1, or £2, or x3 must contain 1 (the least significant 
bit); thus, the second u-byte of x is also non-zero, etc. This 1 in every u-byte 
is in the desired position since the values r&p21, L&kT2, c& x3 describe the 
three cases in which the position in the next u-byte is the same plus —1, 0, +1, 
respectively. 

Now we prove that there are no other non-zero bits in every u-byte of x. 
Assume for a contradiction that there is a u-byte in x with more than one 1. 
Then, there are two consecutive u-bytes (which are depicted on the next page) 
such that the left u-byte has the only 1, and the right one has at least two 1. 
This pair exists because the most significant u-byte of x equals 1. From the 
representation of x in (8), we see that the bits a, b, f, g are all equal to zero. 
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Next, since by (9) 21, £2 and «3 are pairwise disjoint, among c, d and e there is 
only one 1. This contradicts our assumption. 


x= ...0..000./010 1..000..00.. * a x .. x bi cde tf #9 * nku. 
SS 
Ix (u) Ix (u) 
a1 = ...0..000.. 0110010 ..000..00..0c! de0 100.0... 


ee 
lk(u) 1x (w) 
T3 = ...0..000.. 0101010 ..0.00..00..00' cde 100.0... 
———S a  ——————S oY 
1, (u) 1, (w) 


£s = ..0..000.. 01001'0 ..000..00..00' Ocd 'c0..0... 
1, (uw) ly (u) 
It remains to prove that for every u and x such that A+(u, t,x) there exist 
non-negative integers from the definition above. This is obvious for zı and 22; 


the existence of 71, £2, £3 follows from the fact that there are at least two zeros 
between every pair of 1 in x. 


In our proof we check whether or not the u-bytewise minimum of two natural 
numbers equals zero. In order to express this property, let us introduce a function 
Up which modifies x as follows. If x can be split into consecutive u-bytes where 
the most significant bit is equal to zero, then Ux(u, x) replaces every non-zero 
u-byte by 1. Otherwise, this function maps to zero. For example, when x = 
10 000 011 000 010 we have U2(100, x) = 1000001 000 001 and U2(1000, x) = 0. 


Lemma 7. The function Up is 4-definable in (N;0,1,+, &k, ©k, =). 


Proof. Let us first define a predicate Up, which (in comparison with the function 
Ux) is also true for the cases when y has u-bytes equal 1 while the corresponding 
u-bytes of x are equal to zero. In U% there are also no restrictions on the most 
significant bits of u-bytes. We have the definition 


(At") 


Uz (u,2,y) & 35H Jv( Coy, (Ar (u), t) AË <ptAv=kt' — Az <p vA 
u 


y = v& Copy, (u, £, 1)). 


The k-ary representation of v is a sequence of u-bytes which are either zero or 
equal to ku—1; moreover, for every unit in x there is (k—1) in v. Then we select 
the desired 1 in y via a bitwise multiplication of v by a sequence of u-bytes of 
the same u-byte-length as x, where all bytes are equal to 1. 

In order to exclude extra non-zero u-bytes from y, we consider the difference 
ka — y. Recall that the definition of Up requires zeroness of the most significant 
bit in every u-byte. Thus, we have 


y = Uglu, x) & e& Copy, (u,xz,u) >OAy=0V 
xb, Copy, (u, x,u) = 0 A Ug(u, x£, y)A(k — 1)y <p (kz — y). 


(11) 
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Consider the case when the most significant bits in u-bytes of x are all zero. 
The least significant bit in every u-byte of kx now equals 0, and the fact that 
there is a unique y that satisfies the definition can be illustrated as follows: 


ee a 0 0 Oh E 0 0 0 0 0 

SS TO i ns 
1p (u) lk(u) lk(u) 

0...00 0 0 1 43.0..4:.0 1 0 0 0 1 


These three lines represent the numbers ka, y, and (kx — y), respectively. The 
left column demonstrates the general “correct” case. The middle and the right 
columns show why the existence of an extra non-zero u-byte in y contradicts 
definition (11). 


We are now able to prove the main result of this section. 


Theorem 3. For every integer k > 2 a relation is k-MCM-recognizable if and 
only if it is 4-definable in the structure (N;0,1,+, &,-%,=). Therefore, every 
relation RCN” is r.e. iff it is 4-definable in this structure. 


Proof. For a given k-MCM M = (m, Q, qo, F,6) and an input vector 7 € N” in 
k-ary notation, we are going to encode the existence of an accepting sequence 
of transitions between configurations of M. First choose a variable u such that 
Py(u) A A kta; < u; this choice specifies the size of bytes in our encoding. 
i€[1..n] 
We multiply by kt since in u-byte there must be two bits for delimiters +, 4 and 
at least two auxiliary zeros from the definition of Ax. 
A sequence of states is encoded similarly to formula (4), that is, 


Kilu t, q) = A qi&kqj =0 A got...tds = Copy, (u,t, 1A 
0<i<j<s 


1 <rqo ^ VV Ax(u, t) Sk Qu(p)> 
per 


where G = qo,---;¢s and t corresponds to the number of steps of an accepting 
computation of M. Here we also require go to be the initial state and the most 
significant u-byte of t corresponds to a final configuration. 

We now define a predicate Cy, that encodes a sequence of configurations 
of M. Similar to Matiyasevich [19], in this definition for every x; € T a se- 
quence of copies of x; is decomposed into disjoint variables 6; 9,...,0i,,-1 such 
that every u-byte of fia equals Ok a(xi). Let @ denote the list of variables 
010; +++; 914-1; 92,0, »--; n,k—1, 9-, 04, where the extra variables #-, 04 encode the 
positions of the delimiters. The variable h stores the positions of the input head 
of M, and the list of variables Y = y1, ..., Ym corresponds to the values of the 
counters at each step of computation. 
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It is convenient to introduce a function bg, which gives the smallest power of 
k greater than every x; € x. The graph of this function can be defined as 


y = by (& e V y = kAg(a;) A A y > kAg (ai). 


Te n] i€[1..n] 


This function will be applied to encode the positions of the right delimiter 7. 
The following formula describes a sequence of configurations of M. 


Cu(u,t, 9,2, 0,h,7) = Ph(u Ae kta, <uAu<tAK,(u,t,QA 
i€[1..n] 
0- = Copy;,(u,t,1) A VAN ( bio = Copy;,(u,t, kOk o(£i + bk(©))^ 
i€[1..n] 


A bia = Copy, (u, tkOr,al2:))) A 8- = Copy lu, t, kbg(T))^A 
a€[1..k—1] 


Axg(u,t,h) A N Arlu,t, yi). 


i€[1..m] 


It is easy to see that 6-, 04 are disjoint with the other variables from 0. For 
notational convenience, we subsequently assume that 0; = 0- and 6;4 = 64 
for every i € [1..n], and the letters for the delimiters be the vectors (F, ..., =) and 
(4,...,4) of length n. 

We now proceed to the encoding of the fact that a given sequence of con- 
figurations is actually a sequence of transitions in M. For a letter (a1,...,an) € 
Xr? U{F, 4}, a state p € Q, and a tuple € € {0,1} such that the values of the 
counters from Ys = {i € [1..m] | ci = 0} are equal to zero and from [1..m] \ Y= 
are non-zero, the following formula is an analogue to definition (5): 


Anas) (u, t, q, 0; h, y) = (rokn & ie (u, (Oi a; &h)) & x 
r v&r & Ux(u, yi — Copy, (u, t, L)&xy:)) Sk 


i€Ye €[1..m]\Ye 


WP) gy, Url, hg, © w )&k & i, Ux (u, Yi &k e (Ww), 
u 


|, icf. Pal 


(p,d,d)€6(p,a,c) 


The key difference with (5) is that now in order to compare two consecutive 
configurations we shift by one u-byte instead of one bit. It is obvious that the 
predicate A(, 7,2) makes sense when it is complemented with Cm. In this case, 


for example, Ug (u, h && Wwy highlights the configurations for which in the fol- 
lowing configuration the position of the input head shifts by d. Indeed, we obtain 
a sequence of u-bytes, each of which is equal to one if and only if the position 
of the unique 1 in the next u-byte is the same plus d, otherwise this u-byte is 
equal to zero. 
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It remains to define the relation Rz(m) that corresponds to the language 
recognizable by M. To this end, we have to consider every tuple (p,@,@) in Q x 
(Xg U {F, Af) x {0,1}™ and apply already defined predicates Cm and Ai az). 


Rro (T)  3uHtIq393hIG(Caa(u,t,7,7,9,h,) A 


VAN Ain ac) (u,t,q, 6, h,7)) : 
(p,4,6)EQx (LP U{F,4}) x {0,1} ™ 


This completes the proof. 


Since by [14,19] the bitwise minimum operation &g is existentially definable 
in (N;0,1,+,-,eap,=), we obtain DPR-theorem as a corollary. 


Corollary 4 (DPR-theorem). Every relation R C N” is r.e. if and only if it 
is 4-definable in the structure (N;0,1,+,-,exp, =). 


Let us fix k = 2 and omit mentioning k in ^p and HqNZB,,. Since we have 
z = T&2Y & z Į y ^y 3 x+y- z (see [14]), bitwise minimum is 4-definable in 
(N; 0,1, +,3,^, =). Next, exponential diophantiness of x follows from the fact 
that x x y iff (4) = 1(mod 2), where (#) is a binomial coefficient. Factorial 


representation of binomial coefficients and Legendre’s formula imply that 


z 3y & 82(y) = $2(x) + s2(y — 2), 


where s2(x) is the number of 1’s in base 2 expansion of x. Therefore, the masking 
relation is definable by the formula x < y 4 EqNZB(y,x ^ (y—«)) and we have 
the following result. 


Corollary 5. Every relation R C N” is r.e. if and only if it is J-definable in 
the structure (N;0,1,+, EqNZB, ^, =). 


5 Conclusion 


The purpose of this paper is to emphasize similarities in existential first-order 
characterizations of the languages recognizable by various abstract machines. 
Such descriptions in Sections 3 and 4 allowed us (in some sense) to answer the 
question of Bés [2, Open Problems] concerning the expressive power of fragments 
of FO-arithmetic with the predicate EqNZB. 

Let us mention one natural question which is related to Theorems 1 and 3. 
Villemaire proves [23,24] that multiplication is definable in (N;0,1,+, Vk, Vi, =) 
when k and l are multiplicatively independent. Bès strengthens this result [1] 
by showing that the same is true when V, is replaced by any I[-recognizable 
relation R; that is not definable in (N;0,1,+,=). It would be interesting to see 
whether multiplication is existentially definable in (N;0,1,+, &%,&,=), and 
more generally, to study 4-definability in the structures (N;0,1,+, &,, Ri, =). 


Acknowledgements. The author is grateful to the anonymous reviewers for 
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Abstract. Coverability in Petri nets finds applications in verification 
of safety properties of reactive systems. We study coverability in the 
equivalent model: Vector Addition Systems with States (VASS). 

A k-VASS can be seen as k counters and a finite automaton whose transi- 
tions are labelled with k integers. Counter values are updated by adding 
the respective transition labels. A configuration in this system consists 
of a state and k counter values. Importantly, the counters are never al- 
lowed to take negative values. The coverability problem asks whether one 
can traverse the k-VASS from the initial configuration to a configuration 
with at least the counter values of the target. 

In a well-established line of work on k-VASS, coverability in 2-VASS is 
already PSPACE-hard when the integer updates are encoded in binary. 
This lower bound limits the practicality of applications, so it is natural 
to focus on restrictions. In this paper we initiate the study of 2-VASS 
with one unary counter. Here, one counter receives binary encoded up- 
dates and the other receives unary encoded updates. Our main result 
is that coverability in 2-VASS with one unary counter is in NP. This 
improves upon the inherited state-of-the-art PSPACE upper bound. Our 
main technical contribution is that one only needs to consider runs in a 
certain compressed linear form. 


Keywords: Vector Addition Systems - Coverability Problem - Linear 
Path Schemes 


1 Introduction 


Vector Addition Systems with States (VASS) are a well-studied class of infinite- 
state systems (see the survey [37]). These are finite automata with counters that 
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can be updated, but are never allowed to take negative values. Thus, a config- 
uration consists of a state and a vector over the natural numbers. The central 
decision problems are the reachability and coverability problems. The reacha- 
bility problem asks whether from a given start configuration one can reach the 
target configuration. The coverability problem is the same except that the tar- 
get configuration need not be reached exactly, counter values are allowed to 
be greater. Both problems are not only mathematically elegant, but they have 
interesting theoretical applications |7] and implementations [6]. Coverability is 
provably a simpler problem that is better suited for applications; reachability 
tools are mostly applied to coverability benchmarks [14]. Yet coverability has 
applications in the verification of safety conditions in reactive systems [17,21]. 
Such systems may require additional data structures to be accurately repre- 
sented, like counters for example. Safety conditions often boil down to whether 
a particular state can be reached as opposed to a particular configuration [8]. 


Coverability and reachability have been studied for decades. The equivalent 
model of Petri nets was introduced already in the sixties [34]. For general VASS, 
Lipton proved in 1976 an EXPSPACE lower bound that applies to both coverabil- 
ity and reachability [31]. Two years later, Rackoff proved a matching EXPSPACE 
upper bound for coverability [35]. Later in 1981, Mayr proved that reachability 
is decidable [32] without providing an upper bound for the algorithm. The con- 
struction was simplified by Kosaraju [24] and Lambert [25], and a recent series 
of papers by Leroux and Schmitz ended in 2019 by proving an Ackermann upper 
bound [27]. A matching Ackermann lower bound was published in 2021 by two 
independent groups [12,26]. 

Plenty of attention has been given to VASS with fixed dimension, that is 
when the number of counters k is invariable, denoted k-VASS. For fixed dimen- 
sion VASS it matters much whether the counter updates are encoded in unary or 
binary. Already, Rackoff gives NL and PSPACE upper bounds for coverability in 
unary encoded and binary encoded k-VASS, respectively [35]. The coverability 
problem where there are no counters is just directed graph reachability that is 
NL-complete [3]. Thus, coverability in unary encoded k-VASS is NL-complete, 
for every fixed k. Coverability in binary encoded 1-VASS is in NC? [2], it can 
therefore be decided in deterministic polynomial time. If there are two or more 
binary counters, coverability is PSPACE-hard [5] via a reduction from reachabil- 
ity in bounded one-counter automata that is PSPACE-complete [18]. Therefore, 
coverability in binary encoded k-VASS is PSPACE-complete for every k > 2. See 
Figure 1 for the complexities of coverability in VASS with a fixed number of 
unary and binary encoded counters. This is all in striking contrast to the reach- 
ability problem in fixed dimension VASS, since reachability in 8-VASS is already 
known to be nonelementary [13]. 


There is a prominent line of work on 2-VASS with various encodings. The 
seminal paper in 1979 of Hopcroft and Pansiot [23] shows reachability in 2-VASS 
is decidable, proving that the reachability set is effectively semi-linear. Moreover, 
in the same paper the authors show, by an example, that the 3-VASS reachabil- 
ity set need not be semi-linear. Later, this was improved as it was shown that for 


198 F. Mazowiecki et al. 


Number of unary counters 


0 1 >2 
0 NL-complete [3] NL-complete [38] NL-complete [35] 
in NC? CP [2] in NP [this paper| Open 


Number of 
binary counters 
Vo 
w 


PSPACE-complete [5] PSPACE-complete | PSPACE-complete [35] 


Fig. 1. The complexities of coverability in VASS with a fixed number of unary and 
binary encoded counters. All NL lower bounds arise from the zero counters case, here 
coverability is directed graph reachability and that is well known to be NL-complete [3]. 
In the case of one binary counter, regardless of the number of unary counters, we are 
aware only of this trivial NL lower bound. Furthermore, with one binary counter and 
at least two unary counters, we are not aware of a non-trivial upper bound (denoted 
“Open” in the table). When there are at least two binary counters and any number of 
unary counters, coverability is PSPACE-complete. The lower bound holds for 2-VASS 
with two binary counters [5] and the upper bound is given by Rackoff for any fixed 
dimension [35]. Recall that coverability in general VASS, where the number of counters 
is not fixed, is EXPSPACE-complete [35]. 


2-VASS the reachability relation is effectively semi-linear [28]. This proof shows 
that every 2-VASS can be characterised by a flat model, i.e. where the underly- 
ing finite automaton does not contain nested cycles. A more careful analysis of 
that paper, resulted in a PSPACE upper bound result for reachability in binary 
encoded 2-VASS [5]. Since coverability in binary encoded 2-VASS is PSPACE- 
hard [5], the authors were able to conclude that both coverability and reachability 
are PSPACE-complete. Just as coverability demonstrated the difference encoding 
makes to complexity, so does reachability; later it was proved that reachability 
in unary encoded 2-VASS is NL-complete [16]. 


Our Results and Techniques. We consider the coverability problem for 2-VASS 
with one unary counter. Here, updates of one counter are encoded in binary 
and the updates of the other are encoded in unary, see Figure 2 for an example. 
Notice that the unary counter need not be limited to polynomially bounded 
values. Otherwise, the value of the unary counter could be encoded into the 
states for an instance of coverability in binary encoded 1-VASS. Furthermore, 
we do not impose any restrictions on the initial and the target configurations, 
i.e. both coordinates of these vectors are encoded in binary. Our main result is 
that coverability in 2-VASS with one unary counter is in NP. 

Coverability in binary encoded k-VASS is PSPACE-complete, for k > 2. The 
lower bound limits the practicality of applications. Therefore, it is sensible to 
consider restricted variations and quantify their complexity. We remark that 
coverability in fixed dimension VASS had widely-open complexity if there was 
exactly one binary counter and at least one unary counter. See Figure 1 for a 
summary of the known results. 
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(100, —1) QoQ (—99, 1) 


Fig. 2. Example 2-VASS with one unary counter V. Consider the instance of cover- 
ability consisting of V, the initial configuration q(0,1), and the target configuration 
q(0, 10). Consider the path m = Ap àp- -- Ap p- +: p which induces a run in V from the 
initial configuration q(0, 1). There are 990 repetitions of the pair of cycles Ap to witness 
the configuration q(990, 1). The cycles alternate so both counters remain non-negative 
throughout the run. This is followed by 10 iterations of the cycle p so the configuration 
q(0, 11) is witnessed, achieving coverability of the target configuration q(0, 10). 


The natural starting point is the characterisation of runs via linear path 
schemes [4]. Intuitively, the authors prove that if coverability or reachability 
holds then there is a witnessing path of a specific shape. Namely, all paths can 
be characterised by a bounded language defined by a regular expression of the 
form ToY{T71---Tk-17,7k- Here T0,...,7% are paths that connect disjoint cycles 
Y1; ---, Yk. Since the language is bounded, checking if there is a path for a given 
expression essentially amounts to an instance of integer linear programming. In 
particular, the authors argue that both k and |79| + [ya] + [ri] +... + |Tk-1| + 
\y«| + |T| are pseudo-polynomially bounded [4]. However, a polynomial bound 
would immediately yield an NP upper bound as such a regular expression can be 
guessed. Given that coverability in 2-VASS with two binary counters is PSPACE- 
hard [5], we cannot simply directly apply the known results when dealing with 
2-VASS with one binary and one unary counter. In Section 3, we provide a 
detailed discussion and a difficult yet motivating example in Figure 3. 

To overcome this problem, we show that coverability can be witnessed by 
paths in compressed linear form. We relax the condition of the bounded lan- 
guage, by allowing to nest linear forms, provided that the exponents are fixed. 
Intuitively, an expression of the form (r7y*r')* is still forbidden, but we allow 
for (ry°r')*, where e is fixed but can be exponentially large (encoded using 
polynomially many bits). Such a form easily provides an NP upper bound. 

We rely on two crucial observations to prove that we can focus on paths 
in compressed linear form. First, notice that the * operation in a linear path 
scheme corresponds to iterating some cycle in the VASS. Since 71,..., Yk need 
to be short, one naturally focuses on short cycles. The issue is that there are 
exponentially many cycles of polynomial size. In Section 4 we prove that for 
coverability there are only polynomially many ‘optimal’ cycles. In Section 5 we 
deal with the problem when some cycle y occurs many times in a linear path 
scheme witnessing coverability, resulting in a polynomial bound on k, the width 
of the linear path scheme. Then we prove that, either we can merge some y; and 
yj thus reducing the width, or that there is a cycle that has positive effect on one 
counter and non-negative effect on the other counter. Intuitively, in the latter 
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case, we can reduce the problem to coverability in 1-VASS by pumping such a 
cycle that forces one counter to take an arbitrarily large value. Moreover, such 
a cycle is witnessed by a linear path scheme. Since we need to pump this cycle, 
we require compressed linear forms to describe the repetitions of the cycle. 

We highlight that both our crucial observations rely on that we work with 
coverability, not reachability. We further highlight that we address these crucial 
observations through our technical contributions that often depend on the fact 
there is one unary counter. 


Further Related Work. Asymmetric treatment of the counters has been already 
considered for VASS. Recall that Minsky machines can be seen as VASS with the 
additional ability of zero-testing. For this model coverability is undecidable [33], 
even with two counters. This raised natural questions of what happens where 
only one of the counters is able to be reset or tested for zero. This, and more 
generally, reachability in VASS with hierarchical zero-tests are known to be de- 
cidable [36]. There is a further investigation into VASS with one zero-test [20]. 
Recently, work has appeared containing detailed analysis about 2-VASS where 
counters have different powers [19,29]. Finally, one of the most famous open 
problems in the community is whether reachability is decidable for 1-VASS 
with a pushdown stack. For these systems, coverability is known to be decid- 
able [30]. The best known lower bound is that coverability, thus reachability also, 
is PSPACE-hard [15]. Our model, 2-VASS with one unary counter, can be seen 
as 1-VASS with a singleton alphabet pushdown stack. 

The complexity of reachability in binary encoded 3-VASS remains an intrigu- 
ing open problem. It is PSPACE-hard, like in dimension two, and the only known 
upper bound is primitive recursive, but not even elementary [27]. Recent works 
on reachability in fixed dimension VASS [11,9,13] provide new examples and a 
better understanding of the VASS model. Interestingly, many techniques applied 
to fixed dimension VASS are very closely related to recent progress on the nonele- 
mentary and Ackermann lower bounds for general VASS [10,12,26]. We finally 
and additionally motivate coverability in VASS with one binary counter and (at 
least) one unary counter as an avenue for finding new techniques to approach 
VASS problems with. 


2 Preliminaries 


Given an integer z € Z we denote bitsize(z) = log,(|z| + 1) + 1. For a vector 
v := (v1,V2) we use (v); := vı and (v)2 = v2 to be the projections to the 
first and second coordinates, respectively. We use |V|max “= max{|v1], |vg|} + 1 
to denote the size of vector v. We write v < w if the inequalities hold on each 
coordinate. We write v < w if at least one of the inequalities is strict. 

A 2-VASS with one unary counter V = (Q,T) consists of a finite set of 
control states Q and a set of transitions T C Q x Z x {-1,0,1} x Q. We 
shall refer to the first counter as the binary counter and the second counter as 
the unary counter. The size of V is |V| = |Q| + X b,u aer bitsize(b). With 
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[V|max = |Q| + IT|- |T|max we denote the total ‘pseudo-polynomial size’ of the 
automaton, where |T |max denotes the maximum absolute value that occurs in 
the transitions. Note that in a standard 2-VASS both counters are in binary, i.e. 
the domain of updates for the second counter is also Z. 

A path v in V is a, possibly empty, sequence of transitions 7 = (t;)!”, such 
that ti = (qi-1, bi, ui, qi) E T. A path is simple if qo, . . . ,qm are distinct. A path 
is a cycle if qo = dm and m > 0 (thus empty cycles are forbidden). We call it 
a qo-cycle to emphasise the first and last state of the cycle. A cycle is simple 
if q1,---,Qm are distinct. A cycle is short if m < |Q|. The length of a path is 
the number of transitions in the path, denoted len(z) = m. We write z/i..j] to 
denote the path that is the subsequence of transitions (¢;,...,t;) in 7. 

A configuration (p,u) € Q x N?, denoted p(u), is a state paired with the 
current binary and unary counter values. A run is a sequence of configurations 
(qi(vi)) Zo such that (qi-1, (vi) a (Vi-1)1; (vi)2 = (Vi-1)2; qi) ET. A run can 
equivalently be defined by the sequence of configurations induced by following a 
path 7 starting from an initial configuration qo(vo). We denote this run qo(vo) > 
dm(Vm). We also write go(vo) > qm(Vm) to indicate the existence of a run 
between two configurations. 

In this paper we study the coverability problem for VASS. 

VASS COVERABILITY 
INPUT: A VASS V = (Q,T) and two configurations p(u) and q(v). 
QUESTION: Does p(u) Ž q(v’) hold, for some v’ > v? 

Do note that the initial configuration p(u) and the target configuration q(v) 
have both the binary and unary components encoded as binary integers. The 
reachability problem for VASS—which we will not study in this paper—requires 
vi =v. 

Consider a path m = (t:i), where t; = (qi—1, bi, ui, qi). The effect of m is 
the sum of the counter updates, i.e. the vector ef (7r) := 77", (bi, ui). We often 
focus on the two projections: the binary effect eff,(7) := X; bi, and the unary 
effect eff, (mr) = Ji] ui. 

We say that a cycle y is monotone if eff(y) > 0 or eff(y) < 0. Otherwise, we 
say that y is non-monotone. Note the two variants of a non-monotone cycle: a 
positive-negative cycle eff,(y) > 0 and eff,,(y) < 0, and a negative-positive cycle 
eff,(y) < 0 and eff,,(y) > 0. 

Let y be a cycle. Given e € N we write yf for the path obtained by e 
repetitions of y. We refer to e as the exponent. A linear path scheme is a regular 
expression of the form 79y[T1 - ++ Tk—1Y,7k, Where the paths To, 71,..., 7 connect 
disjoint cycles 71,...,7x. Note that a collection of cycles is disjoint if no two 
cycles have a common state. Given l = (70,91, 71,---;Tk—-1; Vk; Tk); We say the a 
path 7 is in linear form £ if m = me = ToYi T1 Tk-1Yp Tk for some exponents 
€1,---,€x. Note that in this definition every path has a linear form, e.g. To = 7 
is valid. To leverage the definition, we will ask whether paths are in a linear 
form of certain size. The size of a linear form £ is Ss len(7;) + ya len(y:). 
The size of 7 is ear len(7;) + JẸ; len(y;) + JF] bitsize(e;), i.e. includes the 
exponents. We refer to k as the width of the linear form. 
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3 Coverability in 2-VASS with One Unary Counter 


In this section we briefly discuss why the state-of-the-art techniques are not 
enough to prove that coverability in 2-VASS with one unary counter is in NP. 
Blondin et al. [4] show that for a given 2-VASS V there exists a set of linear 
path schemes S such that if p(u) - q(v) in V, then there exists a path 7 
in a linear path scheme p € S such that p(u) 7 q(v). For every linear path 
scheme p € S the width of p, and therefore the width of every path, is bounded 
above by poly(|Q|,|T|max) [4, Theorem 3.1]. Such a path m is not necessarily 
a polynomial size witness, as the width depends on |T|max polynomially. We 
provide an example of a 2-VASS with one unary counter where the width of 
every linear form £ for a path is exponential in the input size. This demonstrates 
that the combinatorial structure of linear path schemes is not self-sufficient to 
show that there always exists a polynomial size witness of coverability. 


Fig. 3. Example 2-VASS with one unary counter V, where N = 2”, where n is an input 
parameter (thus making N exponentially large). Consider the coverability instance 
with the initial configuration q(0,1), and the target configuration q(N,1). Let \ = 
taa taob thy and p = taptpey tead taq, where tzy is the transition from state x 
to state y. Observe that eff (à) = (N, —1) and eff (p) = (~N +1, 1), thus ef (àp) = (1,0). 


N 
It is easy to then see that q(0, 1) ay q(.N, 1). Intuitively the cycles \ and p alternate 


so both counters remain non-negative throughout the run. In the appendix, we prove 
that there does not exist a linear form of polynomial size for a path that induces a 
coverability run. 
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Paths in Compressed Linear Form. Nevertheless, there is a natural way to suc- 
cinctly describe the path presented in Figure 3. Let o = Ap, and note that 


2 2 2 2 
oN = as aN’ tap BY” togtaptpe Y tea ON ig) 


All paths and cycles are ‘small’, and the bitsize of N and N? are polynomial in 
n, so g itself is a path in linear form. We introduce the following generalisation 
of linear form paths that encapsulates the idea behind paths of this kind of 
arrangement. 


Definition 1 (Compressed linear form path). A path m is in compressed 
linear form if 7 = poof py .- - pr-10f" pr for some connected paths in linear form 
Po; P1,- --, Pk; cycles in linear form o1,...,0%; and exponents fi,..., fx. The size 
of a compressed linear form path is the sum of the sizes of all pi and c; (including 


the bitsize of their exponents) plus the bitsize of the exponents fi. 


rrr ~ anol perro) 


Fig. 4. A compressed linear form path. 


The following theorem is our main contribution. 


Theorem 1. Let V be a 2-VASS with one unary counter and fix two configu- 
rations p(u) and q(v). If p(u) Ž q(v), then there exists a path in compressed 
linear form m such that p(u) S q(v’) and v' > v. The size of the compressed 
linear form path is polynomial in |V| + bitsize(u) + bitsize(v). 


Corollary 1. Coverability in 2-VASS with one unary counter is in NP. 


Proof. By Theorem 1 it suffices to consider paths in compressed linear form 
of polynomial size, that can be guessed in NP. It suffices to observe that a 
coverability instance on a given compressed linear form amounts to an instance 
of integer linear programming. Intuitively, this is because the nested cycles are 
fixed. Thus to check whether a run drops below zero it suffices to check before 
applying a cycle and after applying it for the last time (see e.g. [5, Section V, 
Lemma 14]). 


We highlight that it is rather unexpected that only one extra ‘level’ of linear 
form paths is enough to obtain polynomial size witnesses of coverability in a 2- 
VASS with one unary counter, since the problem is PSPACE-complete for general 
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2-VASS. Roughly speaking, the example given in Figure 3 observes the most 
complex behaviour possible and this instance of coverability is witnessed by a 
compressed linear form path. More specifically, compressed linear form paths 
containing only one linear form cycle suffice as witnesses for coverability in 2- 
VASS with one unary counter. Therefore, all witnesses can be represented by a 
compressed linear form path por where p and 7 are linear form paths to and 
from the single linear form cycle ø which is iterated N times. 

The rest of the paper is dedicated to proving Theorem 1. We heavily exploit 
both distinguishing features of the problem: the fact that one counter receives 
unary encoded updates (as opposed to both counters in binary) and the fact 
that we aim to assert coverability (as opposed to reachability). Our approach 
is as presented in the introduction. In 4 we observe that we can polynomially 
bound the total number of distinct short cycles. We formalise this and show that 
there are only polynomially many ‘irreplaceable’ short cycles. In 5 we provide a 
‘reshuffiing procedure’. If some short cycle y repeats exponentially many times 
we aim to modify the path m by moving the cycles y close to each other. Then 
either every short cycle y will appear only in polynomially many ‘bundles’ y°, 
or we find a cycle ø such that eff (o) > 0. In the latter case, by pumping o we 
are essentially left with one counter. Finally, in Section 6 we conclude the proof 
of Theorem 1. 


4 Replacing Short Cycles 


In this section, we show that there are only polynomially many short cycles that 
need occur in a run witnessing coverability. Fix a path m = (qi—1, bi, ui, qi) £1. 
Let 0 < ib, iu < k be the first indices such that gẹ = >>}, bi and gu = J) ;ċ} Ui 
are at their lowest, respectively. Note that gb, gu < 0 since by convention if we 
consider ip, iu = 0 then the sum evaluates to 0. We call and denote these two 
numbers the binary guard grd,(7) = g and the unary guard grd (T) = gu. The 
following claim immediately follows from these definitions. 


Claim 1. Both grd,(a[ip + 1..k]) = 0 and grd, (rlia + 1..k]) = 0. 


Much like the nadir of a cycle in a one-counter net, defined in [1], we define the 
binary-nadir state as qi,, i.e. the first state in which the binary counter first at- 
tains the lowest value when executing m. We call the binary-nadir decomposition 
n= n?n}, for n? = n[1..ip] and 73 = [ip +1..k], as intimated in Claim 1. Notice 
that this decomposition necessitates the binary guard of the path m is equal to 
the binary effect of the prefix 7?, grd,(7) = eff,(a?) = erd,(7?). Furthermore, 
the suffix of the binary-nadir decomposition has zero binary guard grd,(7$) = 0. 
We primarily utilise binary-nadir states and binary-nadir decompositions, hence 
the omission of matching unary-nadir states and unary-nadir-decompositions. 


Definition 2 (Replaceable cycles). Lety be a q-cycle and let p be the binary- 
nadir state of y. We say that y is replaceable if there exists a q-cycle y' with the 
same binary-nadir state p, such that 
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(a) eff, (7) > effo(y) and eff,,(7’) > eff.(y), 
(b) grd,(7’) = grd,(y) and grd,,(7’) > grd,,(y), and 
(c) len(7’) < len(y). 


Additionally, at least one inequality is strict and we write y < y’. 


We say a cycle is irreplaceable if it is not replaceable. We also say that an 
irreplaceable q-cycle y with the binary-nadir state p is characterised by the five 
values: eff, (y), eff. (y), grd,(y), grd (y), and len(7). 


Lemma 1 (Replacing cycles). Let 7 = 1,772, where y is a q-cycle. Suppose 
plu) + q(v) then the following hold. 


— Ify is replaceable, then there exists an irreplaceable q-cycle y < y’ such that 


TIY T2 
plu) —> q(v’). 
— Ify is irreplaceable, then for every irreplaceable q-cycle y! that has the same 


characterisation as y, plu) ara, q(v’). 
In both cases v' > v and len(r) > len(719/72). 
For convenience, we define the polynomial R(|Q|) := |Q|4((Q|+1)(2|Q|+1)?. 


Lemma 2. There exists at most R(|Q|) many irreplaceable short cycles with 
different characterisations. 


Proof. We fix two states q and p and consider only q-cycles y with the binary- 
nadir state p. Thus in the final argument one must multiply everything by |Q|?. 
Since we consider short cycles, the unary effect and the unary guard are small, 
i.e. —|Q] < effu(7) < |Q] and |Q] < grd, (7) < 0. 

Towards a contradiction, suppose there exists more than |Q|?(|Q|+1)(2|Q|+ 
1)? many such irreplaceable g-cycles with different characterisations. By the pi- 
geonhole principle there must exist two cycles, denoted in binary-nadir decom- 
position y = 172 and y’ = y}75, that have the same values eff,,(71) = effu(7}), 
effu(y2) = efu (72), grdu (7) = grd,,(7’), len(q1) = len(7;), and len(72) = len(3). 

We know that the irreplaceable q-cycles y and 7’ have different characteri- 
sations, so it must be the case that their binary effects differ eff,(y) 4 effa (y). 
Otherwise, the cycle with the lesser binary guard is replaceable, because the 
unary effect, unary guard, and length do not differ. Without loss of general- 
ity, suppose eff,(y) > eff,(7’), then grd,(7) < grd,(7’). Otherwise, y' would be 
replaceable as y < 7’. 

Now consider the g-cycle o = 772, also with the binary-nadir state p. We 
will show that y < ø contradicting the fact that y is an irreplaceable q-cycle. 
First, observe that ø has greater binary effect than y as 


effy (7) = efa (71) + effy(y2) > effa (v1) + effo(y2) = effo(y), 


where the inequality holds because grd,(y) < grd,(y’). Second, o and y have 
equal unary effect because eff,,(y,) = eff,,(71). Third, we show that ø has a 
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greater binary guard than y. Since yə is the suffix of the binary-nadir decompo- 
sition of y, it must be true that grd,(y2) = 0. By Claim 1 grd,(o) = grd,(7}). 
Combining these facts, grd,(o) = grd,(7) > grd,(7). Fourth, ø has at least the 
unary guard of y because, in particular, the unary guard of the prefix of a path 
is at most the unary guard of the entire path. 


grd,,(7) = min{grd, (71), ffu (71) + grdu (72)} 
> min{grd, (y), eÆu (71) + grd,,(y2)} 
= min{grd,,(7), cfu (y1) + grd, (72)} = grdu (9). 


Fifth and finally, ø and y have equal length because len(yj) = len(y1). We have at 
least one strict inequality. Thus, we have reached the desired contradiction. 


5 Reshuffling Linear Form Paths 


5.1 Reshuffling Procedure 


There can be many linear forms for a path m. We will try to find an ‘optimal’ 
one, so we introduce a cost function to quantify linear forms. Recall that a linear 
form £ is a sequence of paths 79,71,...,7% and a sequence of cycles 91,..., Yk- 
If m is in the linear form £ = (70,91,71,---;Tk—-1, Yk; Tk) then we write me = 
TOYI TL + Tk—1Yk" Tk, Where m = me (the index is here to stress the exact linear 
form). For this section, we will consider linear forms only containing short cycles 
y, they will play a key role in the following arguments. 

We define a cost function that assigns, to a linear form @, the following pair of 
naturals C (£) = (Ea len(r;), k): For convenience, we define the polynomial 
P([Q|) = 2((Q|? + 1I)(\Q|? + 2) - R(IQ|), where R is the polynomial defined 
for Lemma 2. We say that a linear form @ is narrow if C(€) < (IQI(P (Q|) + 
1), P(|Q|)), otherwise we say that Zis wide. We say that the triple (a’,0,7’) isa 
monotone cycle decomposition of a path v if ø is a monotone cycle, 7 = m'on”, 
and len(a) < len(z). 


Lemma 3 (Reshuffling). Let 7 be a path such that plu) = q(v). Then there 
exists a path p such that p(u) & q(w) where w > v, len(p) < len(1), and either 


(i) there exists a narrow linear form for p, or 
(ii) there exists a monotone cycle decomposition of p. 


Proof. We start with a series of preparations. In the early part of this proof, 
we provide simple observations to ascertain some auspicious properties of our 
path. In the later part of this proof, we present the ‘reshuffling procedure’ and 
conclude with one of the cases in the statement of this lemma. In this proof we 
will compare linear forms using the lexicographic order ~<je,, that is known to 
be a linear-order and a well-order. Formally, 


CCE’) iex CH) => (C(L))1 < (CO): or, 
(CH) = (C()s and (C(E))2 < (CQ). 
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We start with a path a’ such that p(u) mille q(v’) where v’ > v, len(z’) < 
len(7), and 7’ has a linear form ¢’ that has the least cost among all linear forms 
for all like-paths. That means there does not exist another path 7” such that 


plu) i q(v”) where v” > v, len(m’”) < len(7), and 7” has a linear form ¢” 
such that C(”) <iex C(l’). 

For the first observation, suppose there exists 0 < i < k such that len(7;) > 
|Q|. Then the path 7; can be written as 7; = T'yT”, where y is a short cycle. 
We can define the linear form ¢” by modifying ¢’ where 7; is swapped for r/yr”. 
Although this increments the number of cycles k, we decrease the total length of 
the paths as len(r’) +len(T”) < len(7;) (recall that empty cycles are forbidden). 
Thus C(L) <ies C(¢) contradicting the assumption that £ has minimum cost. 
Therefore, we assume that len(7;) < |Q] for all 0 < i < k. 

For the second observation, we define U := {0 < i < m : (vi)2 < |Q|} to be 
the set of indices of configurations in the run that have unary counter value less 
than |Q|. Observe that if |U| > |Q|?+1 then there are two indices 0 < i < j < m 
such that the two corresponding configurations in the run have matching states 
qi = qj and equal unary counter values (v;)2 = (v;)2. Then, regardless of sign of 
its binary effect, 7’[i..j] is a monotone cycle. Here, case (ii) immediately holds 
by decomposing 7’ itself using the monotone cycle z’{i..j], given that i > 0 
and j < m implies len(a’/i..j]) = 7 — i < m = len(n’). Therefore, we assume 
|U| < |Q|? +1. We continue with the aim of satisfying the conditions of case (ii) 
by finding a monotone cycle decomposition. 

Let d = |{71,.--, Yk} | be the number of distinct cycles in the linear form V. 
By Lemma 1 and Lemma 2, we can assume that d < R(|Q|). Otherwise, we can 
exchange replaceable q-cycles for irreplaceable q-cycles using the first point in 
Lemma 1. It is possible that for a particular characterisation, we can observe 
more than one irreplaceable q-cycle. Then using the second point in Lemma 1, 
we can arbitrarily select one of these irreplaceable q-cycles with equal charac- 
terisations to exchange all others with. By applying these cycle replacements 
to x’, we obtain a different path p. Definition 2 ensures that we do so without 
decreasing the effect (a), without allowing the counters to take a negative value 
(b), and without increasing the length of the path (c). Therefore p(u) & q(w) 
and w > v’ > v, and len(p) < len(z’) < len(z). We remark since cycles have 
been exchanged one-for-one, then p takes a linear form £ with the same path 
segments as ¢’. Therefore, it is clear that neither the number of cycles k, nor the 
sum of the lengths of the paths between cycles, have changed. We also know that 
Lis a linear form for p with minimum cost C(¢) = C(¢’), as per the initialisation 
in this proof. 

Suppose p = pe = TOY, Ti: Tk-1Yk" Tk. Let (aj(vj))7io be the run obtained 
by following the path pọ from the initial configuration qo(vo) = p(u) to the final 
configuration qm(Vm) = q(w). We may assume that Zis wide. Otherwise, case (i) 
is immediately satisfied. We also know that len(p¢) > max{(C(¢))i,(C(£))2} > 
P(|Q|). We may also assume that each cycle y1,..., Yk is non-monotone, i.e. it is 
positive-negative or negative-positive. Otherwise, case (ii) immediately holds by 
decomposing p itself using some monotone cycle y;, given that len(y;) < |Q| < 


208 F. Mazowiecki et al. 


P(|Q|) < len(p¢). Notice this is valid since each e; > 0 by the minimality of C (£), 
otherwise you can write ---7;-1797;-+- with one less cycle, decreasing (C(4))2. 


From the first observation, we get =o len(7;) < (k + 1)|Q|. Given that £ 


is wide, either |Q|(P(Q|) +1) < (C(@))1 = Zio len(r;) < (k + 1)|Q| that 
implies P(|Q|) < k, or P(IQ|) < (C(@’))2 = k. Regardless, P(|Q|) < k holds. 
Recall that |U| < |Q|? +1 from the second observation. Since there are relatively 
‘few’ configurations indexed by U, there must exist a relatively ‘distant’ pair 
of consecutive configurations indexed by U. More formally, there are i and j 
such that 0 <i < j < k and j — i > 2(\Q|? + 2)R(|Q]) and all configurations 
that occur in the run over the path segment niyiti ++: y Tj have unary counter 
value at least |Q|. Notice that j — i is the number of cycles in this path segment. 
Since j — i > 2(|Q|? + 2)R(|Q|) and by pigeonhole principle on the number of 
irreplaceable cycles, there is a common irreplaceable cycle y repeated at least 
x = 2(|Q|? +2) many times. We will focus on the first x such occurrences of this 
cycle. Let s1,...,S be the indices of this cycle y, i.e. y = Ysı =... = Ys,- To 
highlight these cycles, we decompose this path segment into 


WT ye Ti = Any 4i Apa Aa, 


where fj := es, and A; are the concatenated paths (and cycles) in between 
iterations of y, see Figure 5. To reiterate, we know that all configurations that 
occur in the run over this path segment have at least |Q| unary counter value 
and y is a short cycle. 


Binary 


Fig. 5. The decomposition of the path segment into Aog”! A1--- Az—17/* Az, as above. 
Notice that the unary counter is always at least |Q| as no configurations indexed by U 
are present. 


Reshuffling Procedure. In the rest of the proof we will modify the path segment 
(above) of the path pe with a procedure that we call reshuffling. At the end 
of this procedure we will find a monotone cycle and satisfy case (ii) of this 
lemma. We either find this cycle directly, or we obtain a linear form ” such that 
C(t") siex C(L) contradicting the assumption that Z has minimal cost. 

Note that x = 2(|Q|? + 2) is even, and for every pair of consecutive cycles 
Y2j-1 and y2; (for 1 < 2j < x), consider the subsegment yfi- Aaj 1y. There 
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are two scenarios depending on the variant of the non-monotone cycle y. In the 
scenario where y is positive-negative, we move an iteration of y from right to left 
obtaining 7/2/-1+1A,;_17/21—1. In the scenario where y is negative-positive, we 
move an iteration of y in the opposite direction obtaining y/2/-1~1Aj;_1y/2t1. 

We repeat this procedure until one of two conditions are met. The first is 
when there are no iterations of y on one side, so either f2j—1 or fo; becomes 
0. The second is when there appears a configuration, in the run over the path 
subsegment after reshuffling, with unary counter value less than |Q|. See Figure 6 
for a pictorial presentation of reshuffling in the scenario where y is positive- 
negative. 


Unary 
Unary 


Binary Binary 


Fig. 6. Reshuffling around a path A (blue) where y (red) is positive-negative. Before 
reshuffling, the path subsegment ---yAy--- all configurations have unary counter value 
at least |Q| in the run (left). After reshuffling, the path subsegment ---y7yA---, there 
is a configuration with unary counter value less than |Q] in the run (right). 


We claim that after each reshuffling step, the corresponding run remains 
executable, so we must check that both counters remain non-negative. Notice 
that by only moving a cycle, the total effect of the path subsegment remains 
the same. Therefore, if the run was executable before reshuffling, we can safely 
assume that the prefix before the path subsegment and the suffix after the path 
subsegment are still executable. For that reason, consider the counter values 
of configurations occurring in the run over the reshuffled path subsegment. We 
focus on a single step of the reshuffling procedure that concerns the subsegment 
yfi- Aaj”. 

Suppose y is a positive-negative cycle. Then the reshuffling procedure moves 
y from right to left. We claim that since fo;-1 > 0 and Aog A1 -+ Agj—1yF?7-?} 
is executable, the subsegment Ao”! Ay --- A2j;-17/2/-1*1 is executable from the 
initial configuration. This is because one prerequisite of the reshuffling proce- 
dure is that all configurations occurring in the run over the path subsegment 
have at least |Q| unary counter value. Moreover, the cycle y has length at most 
|Q| so grd,,(y) > —|Q| means the unary counter value remains non-negative. 
As for the binary counter value, since a single execution of y increases the 
binary counter and an iteration of y was already executed before reshuffling, 
Aog Ay ++: Aaj—17f 1t! is executable. In the same way, from the initial con- 
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figuration, Aog" Ay Moga y PIH Aggy? is executable. This is because 


eff,,(y) > —|Q], and again, all configurations occurring in the run over the path 
subsegment have at least |Q| unary counter value, and also because of the mono- 
tonicity on the binary counter. 

The argument when 7 is a negative-positive cycle is analogous. This concludes 
the correctness analysis of the reshuffling procedure. 


Finishing Reshuffling. We analyse what happens when reshuffling is finished. 
Suppose that there exists a pair 2j — 1 and 27 such that the reshuffling finishes 
under the first condition where all iterations of y have been moved to one side of 
Aəj—1. In this case we obtain a new linear form l” for p, where one collection of 
the cycle y has been removed (decrementing k). So (C(@"))2 = k — 1 < (C(2))2 
and the two adjacent path segments can be combined without changing the 
summed length of paths so (C(é”)); = (C(@))1. Therefore, C(L) <ie» C(E) 
contradicting the assumption £ has the minimal cost. 

Otherwise, for every 1 < j < x/2 the reshuffling of pair 2j — 1 and 2j finishes 
under condition the second condition. So there is a configuration with unary 
counter value less than |Q] in the run induced from the path p for each pair 2j— 1 
and 2j (see Figure 7). Recall that Z = |Q|? +2, that is the number of pairs. Akin 
to the first observation (in the beginning of this proof), we use the pigeonhole 
principle on the number of such configurations to obtain two configurations with 
matching states and equal unary counter values. The path segment inducing the 
part of the run between these two configurations is a monotone cycle, regardless 
of the binary effect. Again, it must be true that the length of this cycle is less 
than the length of the whole path, so we obtain a monotone cycle decomposition 
of p. Thus case (ii) of the lemma holds. 


Binary 


Fig. 7. After reshuffling is finished under condition the second condition, we can find a 
zero unary effect cycle using the (sufficiently many) configurations with unary counter 


less |Q]. 


5.2 Applying Reshuffling 


Lemma 3 does not necessarily return a narrow linear form for a path 7 witnessing 
coverability. Instead it may return a monotone cycle decomposition (p, 0,7) of 7. 
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Our next goal is to show that there exists polynomial size certificates for p and ø 
(Lemma 4), and then to show that there exists a polynomial size certificate for T 
(Lemma 5). Like linear forms, there can be many monotone cycle decompositions 
for a path. Following, we will use the cost function assigning monotone cycle de- 
compositions to pairs of natural numbers D((p,0,7)) := (len(pa), len(a)). Note 
that we can compare two decompositions using their cost, even if they are for 
two different paths. 


Lemma 4. Suppose p(u) Ž q(v) yet there is no narrow linear form £ for any 
path n such that plu) & q(w) and w > v, then there exists a path n’ such that 


(a) p(u) 5 q(w') where w' > v, 
(b) there is a monotone cycle decomposition (p,o,T) of x’ where eff (o) > 0, and 
(c) there are narrow linear forms for both p and o. 


Proof. We will again use the lexicographical order ~<;-, to compare the cost 
of monotone cycle decompositions. Let m be a path of minimum length such 
that p(u) + q(w) where w > v. Let c = (p,0,7) be the monotone cycle de- 
composition of m that minimizes the cost D(c) under the ~<j., order. Such a 
decomposition must exist, otherwise applying Lemma 3 would return a narrow 
linear form ¢’ for p such that p(u) & q(w’) and w’ > w > v, contradicting an 
assumption of this lemma. Observe that eff (o) > 0, otherwise one can remove o 
and consider the shorter path pr, contradicting the minimal length of m. Next, 
we argue that p and o do not have monotone cycle decompositions, we then 
leverage Lemma 3 to obtain the narrow linear forms required. 


Path p cannot be decomposed further. Towards a contradiction, assume that 
there is a monotone cycle decomposition c = (p',o', T’) of p. Observe that the 
following monotone cycle decomposition č = (p',o’,r’a7T) of m has lower cost 
D(C) tex D(c) as (D(c'))1 = len(p’) +len(o’) < len(p)+len(o) = (D(c))1. This 
contradicts the assumption that (p,0,7) has minimum cost. 

Suppose p(u) > p/(x). Since there is no monotone cycle decomposition, 
applying Lemma 3 to p returns a path p’ with a narrow linear form such that 


plu) 2+ p'(x’) where x’ > x and len(p’) < len(p). 


Cycle o cannot be decomposed further. Towards a contradiction, assume that 
there is a monotone cycle decomposition (p',o’,7’) of o. Observe that the fol- 
lowing monotone cycle decomposition c = (pp’,o’,r'T) of m has lower cost 
D(C) iex D(c) as (D(c’))1 = len(p) + len(p’) + len(o’) < len(p) + len(o) = 
(D(c)); and (D(c’))2 = len(o’) < len(a) = (D(c))2. This contradicts the as- 
sumption that (p,0,7) has minimum cost. 

Suppose p'(x) Æ p'(y). Since there is no monotone cycle decomposition, 
applying Lemma 3 to ø returns a path o’ with a narrow linear form such that 
p' (x) 2 p'(y’) where y’ > y and len(a’) < len(c). In particular, it is also true 
that eff(o’) > eff(c) > 0. 
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Replacing p! for p and o’ for ø in 7 yields a path 7’. Clearly if p(u) 7 q(w) 


where w > v, then p(u) 5 q(w’) where w > w > v. Finally, (p',0’,7) is 
monotone cycle decomposition of 7’ such that eff(o’) > 0 and p’ and o’ have 
narrow linear forms, as required. 


We now aim to obtain a narrow linear form for T. Note that Lemma 4 gives 
us a monotone cycle ø with positive effect on at least one counter, i.e. ef (o) > 0. 
By pumping o we can force one of the counters to take an arbitrarily large value 
(following, the vector x reflects this large value for Lemma 5). Then, loosely 
speaking, the problem reduces to coverability in 1-VASS. However, proving the 
existence of a polynomial size compressed linear form path in Theorem 1 requires 
more care. Note that Lemma 5 is stated for 2-VASS (not necessarily with one 
unary counter). First we need to recall the following bound on counter values 
observed throughout runs. Recall that |V |max = |Q| + |T|- |T |max is the pseudo- 
polynomial size of the input. 


Theorem 2 (Corollary from Theorem 3.2 in [4]). Consider a 2-VASS 
(with both counters in binary) V = (Q,T) and let p(u) - q(v), then there exists 
a run p(u) = go(vo), qi(v1),---,Gm(Vm) = q(v) such that |volmax; |Vilmaxs---; 
[Vmlmax < (IV |max + |U)max + [V|max)°. 


In the following lemma, that is proved in the appendix, given a 2-VASS V, the 
initial configuration p(u), and target configuration q(v), we write B in place of 
(|V|max+|U|max+|V|max)° from Theorem 2 and we fix x = (4B|Q|?|V|2,.,, 0). 


Lemma 5. Consider a 2-VASS (with both counters in binary) V = (Q,T) 
and let p(u) Š q(v), then there exists a narrow linear form path n’ such that 


plu +x) os q(v’) for some v' > v. 


6 Proof of Theorem 1 


Before proving Theorem 1, we employ the fact that for a general 2-VASS, not 
necessarily with one unary counter, the exponents of cycles in linear forms can 
be pseudo-polynomially bounded. 


Lemma 6 (Corollary from Lemma 18 in [5]). Let 7 be path in a 2-VASS 


with a linear form 7 = Toy! Tiss ie Tk such that plu) & q(v). Then there exist 


a path m = ToYi Ti- Th-174° Tk Such that p(u) a q(v’) where v' > v and 
bitsize(e;),..., bitsize(e,) are all bounded by a polynomial in |V| + bitsize(u) + 
bitsize(v). 


Proof of Theorem 1. Let p(u) = q(v) for some path m. If there is a narrow 
linear form £ for 7 then by Lemma 6 we obtain m’ = Toyi Ti ++ Tk-174° Tk Such 


that p(u) 4 q(v') where v’ > v and bitsize(e1),... , bitsize(e,) are all bounded 
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above by a polynomial in |V| + bitsize(u) + bitsize(v). Since £ is a narrow linear 
form, we know that k < P(|Q|) so len(7:) < k|Q| < |Q|P(|Q]) and we also 
know that S len(r;) < |Q|(P(|Q|) +1). Together, this implies the linear form 
path 7’ is of polynomial size. 

It remains to consider the case when there is no narrow linear form £ for 7. 
By Lemma 4 (via Lemma 3) there exists a path 7’ such that p(u) = q(v’) and 
v’ > v. Moreover, there is a monotone cycle decomposition (p,0,7) of 7’ such 
that eff(o) > 0 and there are narrow linear forms for both p and ø. 

Assume that (eff(o)); > 0. This is without loss of generality because if 
(eff (o))ı = 0 then one can flip the coordinates in V, u and v (for the remainder 
of the proof it will not matter that one counter is unary). Let p'(m) be the 
configuration such that p(u) — p'(m) 25 q(v’). Observe that since eff(c) > 0 
for every i € N the path pot induces the run p(u) 2, p'(m +i- eff(c)). Con- 
sider x = (x); = 4B|Q|?|V |2ax (for Lemma 5), clearly x is large enough so that 
plu) 2, p'(m’) and m’ > m +x. By Lemma 5 there exists a narrow linear 
form for a path T’ such that p’(m’) fan q(v”) and v” > v’. 

We conclude by considering the compressed linear form path po*r’ such that 
plu) a q(v") and v” > v’ > v. Since p, c, and 7’ have narrow linear 
forms, we can also bound the exponents using Lemma 6 as in the beginning of 
this proof. Finally, bitsize(x) is polynomial in |V| + bitsize(u) + bitsize(v) much 
like the exponents of the cycles in the linear forms. Therefore, the size of the 
compressed linear form po*r’ is polynomial in |V| + bitsize(u) + bitsize(v). 


7 Conclusion and Future Work 


In this paper we proved that coverability in 2-VASS with one unary counter is in 
NP, a drop in complexity from PSPACE for general 2-VASS. We achieve this by 
using our new techniques. Most notably, we polynomially bounded the number 
of short cycles that need to be used (Section 4). Then, we attempt to find a 
polynomial linear form path by replacing short cycles and reshuffling the path 
(Section 5). 

A natural extension is to consider whether coverability in 3-VASS with one 
binary counter and two unary counters is also in NP. More generally, there 
is the problem of determining the complexity of coverability in k-VASS with 
one binary counter and k — 1 unary counters. The technique for polynomially 
bounding the number of short cycles that need be used can easily be generalised 
to these higher dimension VASS with only one binary counter. However, it is not 
clear how to modify and use our reshuffling technique. Another open problem is 
whether reachability in 2-VASS with one unary counter is also in NP. Note that 
completeness would immediately follow from the fact that reachability in binary 
encoded 1-VASS is NP-hard [22]. 
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Abstract. We consider the model of history-deterministic one-counter 
nets (OCNs). History-determinism is a property of transition systems 
that allows for a limited kind of non-determinism which can be resolved 
‘on-the-fly’. Token games, which have been used to characterise history- 
determinism over various models, also characterise history-determinism 
over OCNs. By reducing 1-token games to simulation games, we are able 
to show that checking for history-determinism of OCNs is decidable. 
Moreover, we prove that this problem is PSPACE-complete for a unary 
encoding of transitions, and EXPSPACE-complete for a binary encod- 
ing and undecidable for one-counter automata (OCA), which are OCNs 
that can test for zeroes. 

We then study the language properties of history-deterministic OCNs. 
We show that the resolvers of non-determinism for history-deterministic 
OCNs are eventually periodic. As a consequence, for a given history- 
deterministic OCN, we construct a language equivalent deterministic 
OCA. We also show the decidability of comparing languages of history- 
deterministic OCNs, such as language inclusion and language universal- 


ity. 


Keywords: History-determinism - Token games - One-counter nets - 
One-counter automaton. 


1 Introduction 


While deterministic automata are algorithmically efficient for problems such as 
synthesis or for solving games, they are often much less succinct, or less expressive 
than their non-deterministic counterparts. As such, many intermediate models 
between determinism and non-determinism have been studied [1,2,3,4,5], with 
history-determinism being one such well-studied notion over the recent years. 
History-deterministic automata over infinite words with parity acceptance con- 
dition was introduced by Henzinger and Piterman as a tool to solve verification 
games, although dubbed good-for-games in their work [6]. Such automata are 
known to be exponentially more succinct than their deterministic counterpart [7], 
and are known to form a robust class of automata that is both algorithmically 
and conceptually interesting [6,8,9,7,10,11,12,13,14]. 

The notion of history-determinism emerged independently in the setting of 
cost automata that can capture all regular cost functions as opposed to their 
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deterministic version [15]. Recently, history-determinism has been studied in 
quantitative settings [16,17], as well as infinite-state systems such as pushdown 
automata [18,19], Parikh automata [20], and timed automata [21,22], where they 
are often more succinct and expressive than their deterministic counter part. 

One-counter nets are finite-state systems along with a counter that stores a 
non-negative integer value which can never be explicitly tested for zero. They 
correspond to 1-dimensional VASS, Petri nets with exactly one unbounded place, 
and are a subclass of one-counter automata which do not have zero tests, and 
hence are also a subclass of pushdown automata. They are one of the simplest 
infinite-state systems, and hence many problems pertaining to one-counter nets 
are easier than models that subsume them. 

The structure of the resolvers that resolve non-determinism on-the-fly are cru- 
cial to understand history-determinism in various models. While for automata 
over infinite words with parity conditions, these resolvers take the shape of deter- 
ministic parity automata [6], the situation for resolvers in history-deterministic 
infinite-state systems is not as well understood. Indeed, the computability of 
such a resolver for a given history-deterministic pushdown automaton is left as 
an open problem in the works of Guha, Jecker, Lehtinen and Zimmermann [18]. 
For history-deterministic Parikh automata, it is still an open problem if the re- 
solver can be given by a deterministic Parikh transducer [20]. Moreover, many 
other problems such as deciding history-determinism or even language inclu- 
sion among history-deterministic automata are undecidable for pushdown au- 
tomata and Parikh automata [18,19,20]. We consider history-determinism over 
one-counter nets, where we are able to answer positively to all of the above 
questions. 

To answer several of these questions, we use results and techniques from the 
simulation problem over one-counter nets [23,24]. This is not surprising, since 
simulation of various models has close ties with history-determinism [6,21]. 


Our Contribution We study history-deterministic OCNs and establish them as 
a class of infinite-state systems where many problems pertaining to history- 
determinism are decidable. This is unlike many other classes of history-deter- 
ministic infinite-state systems that have been studied so far. 

Firstly, we show that checking for history-determinism of a given one-counter 
net is PSPACE-complete when the transitions are encoded in unary, and is 
EXPSPACE-complete for a more succinct encoding (Theorem 4, Theorem 26). 
We achieve the upper bound by giving a novel reduction from the one-token 
game [11] to the simulation problem over OCNs. One-token games characterise 
history-determinism over OCNs, and thus our reduction further extends the link 
between history-determinism and simulation. This decidability result is in con- 
trast to one-counter automata (OCA), where checking for history-determinism 
becomes undecidable by just adding zero-tests to OCNs (Theorem 27). 

Secondly, we show that resolvers for non-determinism in history-deterministic 
OCNs can be expressed as an eventually periodic set. Using this, we are able to 
determinise history-deterministic OCNs to give a language equivalent determin- 
istic OCA. 
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Finally, we show the problems of language inclusion and language univer- 
sality for history-deterministic OCNs to be in PSPACE and P respectively. 
This is in unlike non-deterministic OCNs, where these problems are known to 
be undecidable and Ackermann-complete respectively. Even for the class of de- 
terministic O0CA—which we show history-deterministic OCNs can be converted 
to—the inclusion problem is known to be undecidable. 


Good-for-Gameness A notion closely related to history-determinism (HD) is 
that of good-for-gameness. An automaton is said to be good-for-games (GFG) 
if its composition with a game whose acceptance condition is given by the lan- 
guage of the automaton yields an equivalent game. For parity automata over 
infinite words, these two notions are known to be equivalent [6,25], but they 
do not coincide on all models [16]. For the purposes of our paper, we deal with 
history-deterministic OCNs, as in our setting the notion of history-determinism 
is equivalent to good-for-gameness when composition with infinitely branching 
games is considered [26]. We note however, that this is not true when composi- 
tionality is restricted to only finitely branching games [26]. 


2 Preliminaries 


We use N to denote the set of positive integers and No to denote non-negative 
integers. An alphabet, denoted by X, is any finite non-empty set of letters, and 
the set of all finite words over X is denoted by X*. The empty word over X is 
denoted by e, and we use Xe to denote the set X U {e}. A language £ over X is 
a subset of X*. 


Labelled Transition System A labelled transition system (LTS) is a tuple S con- 
sisting of S = (Q, X, >, qo, F). In this paper, we assume that Q is a (countable) 
set of states, go € Q is the initial state, F C Q is the set of final states, X is a 
finite alphabet, >C Q x X. x Q is the set of transitions. 

If a transition (q,a,q2) belongs to —, we instead represent it as q1 > q2 
as well. On a finite word w, a p is said to be a run of the labelled transition 
system S if it is a finite alternating sequence of states and letters of X: p = 
do D qı A Le Qk—-1 as dr, Where each i, qi ay G+1 €— and a; € Xe such 
that w = ap: a ,...a,. A run p described above is accepting if the state q, E€ F. 

An LTS that has no e-transitions is said to be a realtime LTS. For an LTS 
S = (Q, X, —, qo, F) being realtime, we have >C Q x X x Q. Unless mentioned 
otherwise, we mostly deal with realtime LTS for the sake of a simpler presenta- 
tion. An LTS S = (Q, X, >, qo, F) is deterministic if — is a function from Q x X 
to Q and not just a relation. 


Two player games Throughout the paper, we will be using two player games on 
countably sized arenas, between the players Adam and Eve, denoted by V and 
J respectively. The winning condition will be a reachability condition for one of 
the players, often V. These can be interpreted as a Gale-Stewart games [27] and 
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we know that such games are determined, that is they have a winner, which is 
either V or 4. Moreover, each of the players have a positional strategy, where 
their current strategy depends on their positions in the current arena. We say 
that two games are equivalent, if they have the same winner. 


One-Counter Automata A one-counter automaton (OCA) A is given by a tuple 
A = (Q, X, A, qo, F), where Q is a finite set of states, go € Q is the initial state, 
F C Q is the set of final states, X is a finite alphabet, and A is the set of 
transitions, given as a relation A C Q x {zero, =zero} x X x {—1,0,1} x Q. 

Here, the symbols zero and zero are used to distinguish between transitions 
that can happen when the counter value is 0, and when the counter value is 
positive respectively. One can think of the counter as a stack, where the stack 
has a distinguished bottom-of-the-stack symbol, which cannot be popped. The 
configurations in the automaton are given by pairs (q, m), where q denotes the 
current state, and m € No denotes the counter value. We use C(A) to denote the 
set of configurations of A. 

A one-counter automaton generates an infinite-state LTS over the set of 
configurations Q x N, such that the transitions are as defined below. For each 
configuration (q, m), upon reading a € Xe, 


— ifm > 0, takes a transition of the form (q, 7zero, a, d, q'), where d € {—1,0, 1} 
to (q’,m+4d); 

— if m = 0, takes a transition of the form (q, zero, a, d, q’), where d € {0,1} to 
(q, m + d). 


For two configurations c,c' € C(A) = Q x No, we use the notation c #4. ¢ to 
denote the fact that c’ can be reached from c upon taking some transition 6 € A 


upon reading a, with a change of counter value d. We shall also say that c 2i, g 


is a transition in A, as c “4. d is a transition in the infinite LTS of A. We thus 
view A as both an automaton and a LTS (generated by A), and switch between 


these two notions interchangeably. A run of A over a word w is a finite sequence 
n ; i ao,d andn 
of alternating configurations and transitions : p = co Zo, gji Cy Hn, Cn+1 


such that aga1---a@, = w, and co = (qo,0). The run p is an accepting run if 
its last configuration Cn+1 = (dn41,kn41) is accepting, i.e. qn}1 € F. We say a 
word w is an accepting word in A if it has an accepting run in A. Finally, we 
define the language of A, denoted by L(A) to be the set of all accepting words 
in A. We say that A is a deterministic one-counter automaton, if A is a (partial) 
function from Q x {zero, ~zero} x X to {—1,0,1} x Q. 


One-counter nets The model of one-counter nets (OCNs) can be interpreted as 
a restriction added to one-counter automaton that do not have the ability to 
test for zero. Alternatively, one can view this as a finite-state automaton that 
has access to a stack which can store only one symbol and no bottom-of-the- 
stack element. Any feasible run cannot pop an empty stack. More formally, a 
one-counter net M is a tuple (Q, X, A, qo, F) where Q is the set of finite states, 
X is a finite alphabet, go € Q is the initial state and F C Q is the set of final or 
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accepting states. The set A C Q x X x {—1,0,1} x Q are the transitions in the 
net N. 

The configurations of an OCN are similar to that of an OCA. It consists of 
a pair (q,n) € Q x No. We shall use the notation C(M) = Q x No to denote the 
set of configurations of M. From a configuration (q,n), we reach a configuration 
(p,n + d) in one step, if there is a transition ô = (q,a, d, p), for some a € X and 
d € {—1,0,+1} and n +d > 0. We can define a run on an OCN, an accepting 
run and an accepting word similar to an OCA. We say an OCN WN is complete if 
for every configuration c € C(M’) and every letter a € X, there exists a transition 
Ga? 
Remark 1. For the most of the paper we talk about one-counter nets (automata) 
with unary transitions, i.e. transitions that increment or decrement the counter 
by at most 1. However, they are as expressive as succinct models where the one- 
counter net has a binary encoding, i.e. when the transitions allow the counter 
to be incremented or decremented by positive integers represented in binary. 
This can be observed, for instance, by giving a construction similar to that of 
Valiant’s for deterministic pushdown automata ([28], Section 1.7). 


History-Deterministic One-Counter Nets We define history-determinism in the 
setting of one-counter net. Informally, an OCN WN is history-deterministic, if the 
non-deterministic choices required to accept a word w which is in L(V) can be 
made on-the-fly. These choices depend only on the word read so far, and do not 
require the knowledge of the future of the word to construct an accepting run 
for a word in L(V) (hence the term history-determinism). Formally, we say an 
OCN N is history-deterministic, if J wins the letter game on M defined below. 


Definition 2 (Letter game for OCN). Given an OCN N = (Q, X, A, qo, F), 
the letter game on N is defined between the players Y and I as follows: the 
positions of the game are C(N) x X*, with the initial position ((qo,0),€). At 
round i of the play, where the position is (ci, wi): 


— V selects a; € X 
— d selects a transition 6 which can be taken at the configuration ci on reading 


: aidi 
Qi, 1.6. Ci —— Ci+1 


Ifa is unable to choose a transition (i.e. there is no a; transition at the config- 
uration ci in the LTS generated by the net N), and wj41 = wia; is the prefix of 
an accepting word, 3 loses immediately. The player wins immediately when the 
word wi,1 is accepting but the configuration ci41 is not at an accepting state, and 
the game terminates. The game continues from (cj41, Wi41) otherwise. Player A 
wins any infinite play. 


We say a strategy for 4 in the letter game of M is a resolver for N, if it is a 
winning strategy for J in the letter game. 

Our characterization of history-deterministic one-counter nets by the above 
letter game is slightly different from the one presented in the work of Guha, 
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Jecker, Lehtinen, and Zimmermann [18] for pushdown automata. In their work, 
they define history-determinism as having a consistent strategy based on the 
transitions taken so far. It is easy to argue that these two definitions are equiv- 
alent. 

The letter game can be formulated as a reachability game over countably 
many vertices, where the player V is trying to reach a position of the form 
(c,w) € C(N) x &*, where c is at a rejecting state, while w is accepting. As such 
games are determined [27], the notion of history-determinism formulated as 3 
winning the letter game is well-defined. 

Letter games have been used extensively to characterise history-determinism 
for other models as well, such as parity automata [6] and for various kinds of 
quantitative and timed automata on both finite and infinite words [12,16,21]. 

To aid our understanding of history-determinism as well as the above defi- 
nition, we provide an example of a game where 3 wins the letter game on this 
automaton but the strategy is based on her counter configuration. 


Example 3. Consider the language 


k k—1 
L= {ersin sins... 505 | Soni <nor np = Dy n =n—- r} 


i=l i=l 


which can be accepted by a history-deterministic OCN as shown in Figure 1. The 
initial state is indicated with an arrow pointing to it, and the final states are 
double-circled. Missing transitions are assumed to go to a rejecting sink state. 
In the corresponding letter game, V plays the letter a several times, say n-many 
times followed by a $. The corresponding transitions so far are deterministic. 
Later, V reads some series of bs and $s, such that the word continues to be in 
the language. Note that the non-determinism occurs in only one state, which 
is marked with an X, upon reading the letter b. A winning strategy of 4 which 
proves that this net is history-deterministic is the following: she takes the ‘down’ 
transition if the counter value is strictly larger than 1, but the ‘right’ transition 
on b otherwise. This non-determinism can’t be resolved by removing transitions, 
because removing either of the ‘down’ b-transition or the ‘right’ b-transition 
changes the language accepted. We note that an equivalent deterministic OCN 
exists nevertheless, where on reading a b after any $ does not change the value 
of the counter, but reduces the counter by two for the second b after a $ and 
reduces the counter by 1 for any b after that, until a $ is seen again. 


3 Deciding History-Determinism 


The main result of this section is that deciding history-determinism for a given 
OCN is decidable and is PSPACE-complete as stated in the theorem below. 


Theorem 4. Given a one-counter net N, checking if N is history-deterministic 
is PSPACE-complete. 
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Fig. 1. A history-deterministic OCN accepting £ 


The rest of this section is dedicated to the proof of the above statement. 
The proof of showing the upper bound proceeds by a series of polynomial 
time reductions as below. 


Deciding history-determinism 


4 


Deciding if 3 wins letter game 


vV 


Deciding if J3 wins 1-token game 


Vv 


Deciding if 3 wins simulation game 


We shall define these games rigorously and prove these reductions in Subsec- 
tion 3.1. Finally, since the winner of the simulation game over one-counter nets 
is in PSPACE [24], this gives us the upper bound. 

For the lower bound, we reduce from the problem of emptiness checking for 
alternating finite-state automata over a unary alphabet to deciding if 3 wins the 
letter game. 


3.1 Token Games 


Deciding history-determinism efficiently for finite-state parity automata over in- 
finite words has been a major area of study over the recent years. Bagnol and Ku- 
pergerg [11], gave a polynomial time procedure for deciding history-determinism 
when the finite automata accepts with a Biichi condition. Their underlying tech- 
nique is a two-player game, called G2 or 2-token games, which they proved to 
be equivalent to the letter game when the automaton is Büchi. Boker, Kuper- 
berg, Lehtinen, and Skrzypczak [12] extended this to show that the game G2 is 
equivalent to the letter game when the automaton is co-Biichi as well. Deciding 
the winner in Gə for an automaton of a fixed parity index takes polynomial 
time [12], and hence deciding history-determinism for the cases of when the par- 
ity automata accepts words based on Biichi or co-Biichi condition is polynomial. 
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It is conjectured that winning Gə is equivalent to the letter game for higher 
parity indices as well, and this is known as the G2 conjecture [12]. Token games 
have also been instrumental in deciding history-determinism for quantitative 
automata, in the works of Boker and Lehtinen [17]. In their paper, they show 
that for finite words on a finite-state boolean automaton, history-determinism is 
characterised by G1. This was later adapted to labelled transition systems with 
safety acceptance condition, in the works of Henzinger, Lehtinen, and Totzke [21]. 
Thus, the 1-token games also characterise history-determinism for OCNs over 
finite words. We include a proof nonetheless, for the sake of completeness. 

In a play of the letter game, V picks the letters while 4 picks the transitions, 
and the winning condition for Ẹ is to produce an accepting run for any word that 
is in the language. Token games work similarly, but they impose more constraints 
on V. This is done by asking him to also display a valid run during the game with 
the help of some number of tokens. Here, we concentrate on the 1-token game 
G,. The player V wins the game G4 if and only if he produces an accepting run, 
whilst 4 produces a rejecting run. We make this more formal in the definition 
below. 


Definition 5 (One token game G1). Let N = (Q,17,4,qo,F) be a one- 
counter net. The positions of the game Gi on N are a pair of configurations, 
C(N) x C(N), where the first configuration in the pair denotes the position of 
A’s token, and the second V’s token. The game starts with the initial position 
(cd, X) = ((qo,0), (qo, 0)). At the it” iteration of the play, where the position is 
(qd): 

1. V selects a € X 

2. A selects a transition for her token, a a Gri 

Vv a,d’ 
Ci 


pat, y 


3. V selects a transition for his token, 41 


If A is unable to choose a transition for her token whereas V can choose a tran- 
sition and extend the run on his token to an accepting run, then the game ter- 
minates and A loses the game. However, irrespective of 3’s ability to extend her 
run, if Y is unable to choose a transition for his token, then the game again 
terminates but V loses the game. 

If both the players can extend their runs by picking a transition then and if 
V’s state in elii is accepting, but 3’s state in Gig is rejecting then again the 
game terminates and A loses the game. Else, the game goes to (Ci41,¢41) for 
another round of the play. We add that 3 wins any infinite play. 


Letter games can be seen as a version of token games where V plays with infinitely 
many tokens. We show in the following lemma that one-token games—even with 
this limited power of V—can capture letter games. 


Lemma 6. For an OCN N, if A wins the game Gi on N, then 4 has a winning 
strategy in the letter game. 
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To prove the above lemma, we need to understand better the structure of the 
resolvers for OCNs. Consider the definition given below of residual transitions. 
Intuitively, these are transitions such that if there was an accepting word from a 
configuration with the first letter as a, then upon taking a residual transition on 
a, there is still an extension of the run on the word from the new configuration 
that is accepting. More formally, we say that a transition (q, k) 2, (q', k’) 
is residual if L(q',k’) = a~'L(q,k), where L(q,k) (and L(q’,k’)) is the set of 
words that are accepted in M when the initial configuration is (q, k) ((q’,k’)), 
instead of (qo, 0). The proposition below shows any winning strategy of 3 can be 
characterised by these residual transitions. 


Proposition 7. For an OCN N, an ẹ strategy o in the letter game is winning 
for A if and only if o takes only residual transitions. 


Note that in the letter game, each player winning the game has a positional 
winning strategy, as it is a reachability game. Suppose that 4 wins the letter 
game, then J has a winning strategy which can be given by a (partial) function 
a:(QxN) x &* x X — A. Using Proposition 7, we can show that 3’s strategy 
only depends on the configuration, and is independent of the word read so far. 


Proposition 8. Jf] wins the letter game, then 3 has a winning strategy o that 
only depends on the current configuration of the play, i.e o is a partial function 


a:(QxN)x TOA 


Having shown that G is equivalent to the letter game, we show that decid- 
ing the winner in the game G is in PSPACE. This implies deciding history- 
determinism is also decidable, and in PSPACE. We do so by reducing G to 
the simulation problem between two one-counter nets, which is known to be 
PSPACE-complete ([24], Theorem 7). 

Given two OCNs N and N” at configurations (q,n) and (q’,n’), we say N” 
simulates M (or M is simulated by M’) from their corresponding configurations if 
for any sequence of transitions from (q, n), there is also a sequence of transitions 
from (q’,n’) which is built ‘on-the-fly’. This alternation between existential and 
universal quantifiers in the above statement renders this definition perfect to be 
captured by the following game between the players V and J. 


Definition 9 (Simulation Game). Given two OCNs N = (Q, X, A, qr, F) 
and N” = (Q',q, X, A’, q}, F') and two configurations c = (p, k) and d = (p',k’) 
in C(N) and C(N’) respectively where k,k’ € N. The simulation game between 
the OCNs N and N' at a position (c,c'), denoted by G((N,c) — (N’,c’)), is 
a two player game between Y and A, with positions in C(N) x C(N’) where the 
initial position is (co,cġ) = (c,c'). At round i of the play, where the position is 
(ci, ): 


se vd f 
— V selects a letter a € X, and a transition ci =; Cis. in N 


dss a,d’ i 
— d selects an a-transition c, —— c; in N' 
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If is unable to choose a transition, then V loses the game immediately. If A is 
unable to choose a transition but V can select a transition and extend the run in 
N to an accepting run, then A loses the game. 

Otherwise, if Y’s state in ci41 is accepting but A’s state in ci; is reject- 
ing, then A loses the game, and the game terminates. Else, the game goes to 
(Ci41,C41) for another round of the play. The player 3 wins any infinite play. 


If 3 wins the above game, we say (N’, (p’,k’)) simulates (M, (p, k)), and we 
denote it by (N, (p, k)) — (N", (p’, k’)). Furthermore, we say MN” simulates M 
or N —> N' if (N, (qr,0)) —> (N’, (q4, 0)). 

As the simulation game is a reachability game over a countably sized arena, 
it is determined, and the winning player has a positional strategy. Thus, if 4 
wins the above simulation game G((WN, (p,k)) — (N’, (p’, k’))), then 3 has a 
positional winning strategy oa : C(NV) x C(N’) x X > A’. 


Remark 10. In the literature over one-counter nets [29,24,30], the winning con- 
dition for the players on the simulation game is expressed differently, via the 
inability of the players to choose transitions, rather than accepting states. The 
player V (4) loses the game if V (A) is unable to choose a transition. It can 
however, be shown that the two versions of the simulation games are log-space 
reducible to each other. 


Note the similarities (and differences) in G and the simulation game. In 
both, the winning condition for V would like V’s run to be accepting, while 4’s 
to be rejecting. In G; however, 3 is picking the transition first, while in the 
simulation game, V is picking the transition first. 

With some modifications to the structure of the underlying net in G1, we 
can ensure that the simulation game between the modified net and the original 
net captures G1. The intuition is that, in the simulation game, the net which is 
simulated is modified so that V is forced to delay choosing his transition. This 
is formalized in the proof of the following lemma, and explained with a diagram 
in Figure 2. 


Lemma 11. Given a one-counter net N, there are one-counter nets M and 
M’, which have size at most polynomial in size of N such that 3 wins Gy on N 
if and only if A wins M — M’. 


Proof. (Sketch) For each run in M, we have a run in M that lags behind one 
transition. The one-counter net M’ on the other hand is relatively similar to M. 
We impose this “one-transition lag” in M by construction where each transition 
chosen by V in M corresponds to a letter along with a transition of M. But this 
transition of M is over the letter that V had chosen last turn. The alternation 
produced between V and 4 in a play of the simulation game between M and M’ 
of the nets constructed corresponds exactly the alternation produced between 
V and J in Gi over M. Figure 2 captures the intuition behind this construction 
discussed. 

The net M’ is linear in the size of M whereas M has size approximately 
N x |X|, where |X] is the size of the alphabet. This factor of |X| arises due to 
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remembering the previous letter read in the state space to create this lag for V’s 
decisions. 


4 7 10 
y lag ay, ag a3 
2, a 5a 8a lla tee 
ą Co o Cy 1 *C2 2 >C3 3 >CA 
i a 6a 9 12a 
3Co 0 >c} 1 >c) a2 >Ch 3 C4 


G1 


Vv fees: Pe a r 
obe) au 


/ )Q2 1 
o 6 7C 9 106 


aee 


2 Q 5a a a 
J Co 9 c12 i 2È 2 sal 3, 


C4 


Simulation game 


Fig. 2. An illustration of a play of Gi, seen as a play of the simulation game 


Finally, we see that the following theorem from the work of Hofman, Lasota, 
Mayr, and Totzke [24] shows that the winner of a simulation game can be solved 
in PSPACE. We recall their results to fit our notation below. 


Theorem 12 ([24], Theorem 7). Given two one-counter nets N and N”, with 
configurations (p,k) and (p',k') inC(N) and C(N’) respectively, with k and k’ 
represented in binary, deciding whether (N’,(p',k’)) simulates (N, (p, k)) is in 
PSPACE. Moreover, the set of (k,k’) for which (N, (p, k)) — (N, (p’, k’)) is 
semilinear, and can be computed in EXPSPACE. 


We get the following lemma as a corollary of Lemmas 6 and 11 and Theorem 12. 


Lemma 13. Given a one-counter net N, we can decide in PSPACE if N is 
history-deterministic. 


3.2 Lower Bounds 


Although solving the simulation game turns out to be PSPACE-complete itself 
from the work of Srba [29], this lower bound result does not work for our reduc- 
tion to simulation games. The reduction we give from G to simulation games 
produces only a restricted class of simulation games which solve G4. 

Nevertheless, we show that deciding history-determinism is still PSPACE- 
hard, showing that even this restriction of the simulation problem is enough to 
induce PSPACE-hardness. 


Lemma 14. Given a one-counter net N, it is PSPACE-hard to decide if N is 
history-deterministic. 
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Proof (Sketch). We reduce from the problem of checking non-emptiness of an al- 
ternating finite-state automaton over a unary alphabet. This problem was proven 
to be PSPACE complete by Holzer [31], with its proof simplified by Janéar and 
Sawa [32]. The intuition behind the reduction is to recreate a run of the alter- 
nating automaton in the letter game of a constructed OCN. In the letter game, 
a “fair” play of V corresponds to a branch of a run-tree in the automaton, with 
J resolving universal transitions and V resolving existential ones. The player Y 
can ensure that he wins the letter game if and only if the alternating automaton 
has some word that he can demonstrate is in the language. If V plays “unfairly”, 
then there are gadgets to ensure that 4 automatically wins. 


4 Languages and History-Determinism in OCNs 


We dedicate this section to tackling different questions about languages accepted 
by history-deterministic one-counter nets and decision problems on such lan- 
guages. 


4.1 Languages Accepted by History-Deterministic OCNs 


While in history-deterministic models we are able to resolve the non-determinism 
on-the-fly, it is not well-understood how these resolvers might look like in gen- 
eral. In fact, Guha, Jecker, Lehtinen, and Zimmermann showed that there are 
history-deterministic pushdown automata whose resolvers cannot be given by a 
pushdown automata [18], and whether such a resolver can be computed is an 
open problem. 

In this sub-section, our goal is to understand better the languages of history- 
deterministic OCNs. As a first-step towards this goal, we already have some 
intuition from the previous section on the eventually periodic nature of the 
transitions that are residual (as a corollary of Lemma 11 and Theorem 12). Here, 
we solidify this intuition by defining what it means to have semilinear-strategy 
property for a resolver and to then show that all nets have this property. For the 
case of history-deterministic nets, using this semi-linearity of the resolvers, we 
show the existence of a language-equivalent deterministic OCA. 

We first show a sufficient characterisation which we call the semilinear- 
strategy property, for if a given history-deterministic one-counter net can be 
determinised. 

We say a transition 6 = (p,a,d,p’) in an one-counter net M is a good transi- 
tion at (p, k), if ((p, k), (p, k)) is in the winning region of G4, and the transition 


ô= (p,k) ae, (p', k+d) is a winning move for 3 in G; when V chooses the letter 
a. We also write this sometimes as (p, k) ae (p',k + d) is a good transition in 
N. The following lemma can be seen as a weakening of Proposition 7. 

Lemma 15. Let N = (Q,17,A4,qo, F) be a history-deterministic one-counter 
net. An ẹ strategy o in the letter game is winning for A if and only if the strategy 
a only takes good transitions 6 = (p, k) = (p, k’). 


230 A. Prakash and K. S. Thejaswini 


Given a one-counter net M, we say N satisfies semilinear-strategy property if 
for each transition ô = (q,a, d,q’), the set of k € N such that 6 is a good transition 
at (q, k) is semilinear. That is, for each transition ô = (q,a,d,q') € A, we have 
that the following set is eventually periodic 


Ss = fx slak) aa, (q', k’) is a good transition at (q, Ky} f 


Lemma 16. If a history-deterministic OCN N = (Q, X, qo, A, F) satisfies the 
semilinear-strategy property, then there is a language-equivalent deterministic 


OCA D. 


Proof (Sketch). We assume the history-deterministic OCN M is such that it sat- 
isfies semilinear-strategy property. We shall first construct a non-deterministic 
one-counter automata B, which can be determinised easily by removing a min- 
imal set of transitions to get rid of non-determinism while still preserving the 
language. The non-deterministic one-counter automata B would essentially be 
designed so that the transitions in B correspond to the good transitions in M, 
from any configuration. The eventual periodicity of the sets Ss allows us to 
express this as a one-counter automaton, rather than as a labelled transition 
system with countably many states. 

Intuitively, the automaton G is constructed such that the state space of the 
automaton stores in its memory the period and the initial block of the semi- 
linear sets. The idea is that this automaton’s runs would be in bijection with 
those runs that take only good transitions in the OCN M. We know that such 
a run exists in M by Lemma 15, as M is history-deterministic. However, the 
counter values in B are ‘scaled down’ to only remember how many periods have 
passed, while counter value 0 indicates that the counter value in the original run 
would have been at most J. The exact value of the counter in a run of M can be 
inferred as a function of the state space and the counter value of B. 


Having shown that every history-deterministic one-counter net that satisfies 
semilinear-strategy property has a language equivalent DOCA, we proceed to 
show that every one-counter net satisfies semilinear-strategy property. We first 
display an example which solidifies an intuition of the above statement. 


Example 17. Consider the net N7, as shown in Figure 3, where all states labelled 
qr are accepting. This automaton is not history-deterministic. However, if the 
counter value at qı is not a multiple of 7, then J can resolve the non-determinism 
from qı. Observe that the automaton accepts words of the form a"$b*$ - (Q, de) 
such that k < n. Consider the following play of V in the letter game from qo: 
For 7n steps he reads a, after which he reads a $. So far, all transitions are 
deterministic. After that, assume he again reads, 7n many times, the letter b. 
This ensures that the transition ends at the state qı with counter value 0. If he 
reads $ here, this is the only position where 3 has a choice. Note that she has 
to choose between transitions leading to qo and qg. However, since both the 
suffixes Ọ and & are accepting and only one of Ọ or & is accepting from either 
states, V can ensure J loses no matter what she picks. However, if V had read a 
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Fig. 3. The one-counter net My from Example 17 


number of ‘b’s that was not a multiple of 7, the play of an accepting word would 
end at gg which is accepting. 


Lemma 18. Every one-counter net N satisfies semilinear-strategy property. 


The proof of the above lemma follows from Theorem 12 on using a construction 
similar to the proof of Lemma 11 along wit. As an easy corollary of the above 
two lemmas, we get the following theorem. 


Theorem 19. Every history-deterministic OCN can be determinised to produce 
an equivalent deterministic OCA. 


An easy analysis of our proof combined with the results on the representation 
of simulation preorder ([24], Lemma 28) shows a doubly exponential upper bound 
on the size of the equivalent deterministic OCA constructed from the proof of 
the theorem above. 


Remark 20. On the topic of expressivity of history-determinism, we conclude 
this subsection with a remark that history-deterministic OCNs are strictly less 
expressive than non-deterministic OCNs. This can be demonstrated with the 
language £L = {a'$b/$b" | j < ior k < i}. It is routine to verify that such a 
language is not accepted by any history-deterministic OCN, but this language 
can be accepted by a non-deterministic OCN. Note that history-determinism 
itself is not the limiting factor in accepting this language, as this language is 
accepted by a history-deterministic pushdown automaton [18]. 


4.2 Complexity of comparing languages of history-deterministic 
OCNs 


Comparisons between languages of non-deterministic OCNs are undecidable [23], 
and even the restricted question of universality, is Ackermann-complete [33]. In 
this section, we show that for history-deterministic nets, these problems are no 
longer undecidable and have a significantly lower complexity when compared to 
non-deterministic nets. 


232 A. Prakash and K. S. Thejaswini 


Although we show that history-deterministic OCNs can be converted to a 
deterministic automaton, this determinisation does not help us answer these 
questions. This is because for deterministic OCAs, the problem of inclusion is 
undecidable [28]. Even though equality and universality for a deterministic OCA 
is NL-complete [34], the resulting deterministic OCA we get from determinisa- 
tion of history-deterministic OCNs could be much larger than our input net, 
leading to a larger complexity. 

Nevertheless, we show that checking for language inclusion, and hence check- 
ing language equivalence between two history-deterministic one-counter nets is in 
PSPACE. This is done by giving a polynomial-time reduction to the problem of 
deciding history-determinism, which we showed to be in PSPACE in Lemma 13. 
Moreover, combining our techniques with results of Kucera [35] gives us decid- 
ability in P for checking language universality of HD-OCNs. 


Lemma 21. Deciding language inclusion and language equivalence between two 
history-deterministic one-counter nets is in PSPACE. 


We can show that the problem of checking language inclusion between two 
history-deterministic OCNs reduces to checking if a larger OCN (linear in the 
sum of the size of the two OCNs) is history-deterministic. Since language equiv- 
alence is essentially checking language inclusion both ways, we have the above 
results. 


Lemma 22. Deciding language universality for a given history-deterministic 
one-counter net is in P. 


The problem of universality reduces to checking if the input net M simulates a fi- 
nite state automata. This problem was shown to be P by Kucera ([35], Lemma 2), 
showing that universality is in P. 

We therefore have the following theorem. 


Theorem 23. For nets H and H' that are history-deterministic, the problem of 
checking if L(H) C L(H') as well as checking if L(H) = L(H’) can be done in 
PSPACE. If H is instead a deterministic finite-state automaton, this problem 
can be solved in P. 


We summarise known results and complexity of relevant results for comparison 
with other automata models in Table 1. 


5 Extensions and Variations of OCN 


We revisit the question of deciding history-determinism in this section for one- 
counter nets and its variants. In the first subsection, we tackle the question of how 
the complexity changes if the nets are encoded succinctly. We show that as ex- 
pected, this increases the complexity of the problem from PSPACE-complete to 
EXPSPACE-complete. We then answer affirmatively to the question of whether 
adding zero-tests add too much power to one-counter nets by showing that the 
problem of deciding history-determinism becomes undecidable. 
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LCL’ RETA LSx 
DOCN NL-complete [33] |NL-complete [33] |NL-complete [33] 
HOCN In PSPACE In PSPACE In P 
OCN Undecidable [28] |Undecidable [23] |Ackermann-complete [33] 
DOCA Undecidable [28] |NL-complete [36] | NL-complete [36] 


Table 1. Complexities for the problems of deciding language inclusion, equivalence 
and universality over deterministic OCN, HD-OCN, non-deterministic OCN and de- 
terministic OCA. 


5.1 Succinct Encoding of Counters 


We consider a succinct representation of the input nets or a succinct one-counter 
net, where the transitions can allow for increments or decrements by integers 
(potentially greater than 1) that are represented in binary. Unsurprisingly, we 
show that checking for history-determinism becomes EXPSPACE-complete in 
this case. The upper bound follows from the previous proof of the PSPACE 
upper bound from Lemma 13 of deciding history-determinism for one-counter 
nets, where counter values are in unary. Any succinct one-counter net can be 
converted with only an exponential blow-up into another language equivalent 
net with unary encoding, preserving history-determinism thereby giving us an 
EXPSPACE upper bound. 


Proposition 24. Given a succinct one-counter net N deciding if N is history- 
deterministic is in EXPSPACE. 


However, much more work is needed to show a matching lower bound, which 
we do by giving a reduction from reachability games on succinct one-counter 
nets (SOCN). Intuitively, these games are played on the configuration graphs 
of a succinct OCN whose alphabet is a singleton. The states of this SOCN are 
partitioned among two players, denoted by A and V who are responsible for 
choosing the transition from that state. The goal of V is to take the play to 
a designated winning state with value 0. This problem of deciding the winner 
in the SOCN-reachability game was shown to be EXPSPACE-complete by 
Hunter [37] and later, several of its variants were also shown to have the same 
complexity [30]. A polynomial reduction from checking for history-determinism 
in a SOCN gives us EXPSPACE-hardness. 


Lemma 25. Given a SOCN N, deciding if N is history-deterministic is 
EXPSPACE-hard. 


Proof (Sketch). Given an instance of a SOCN-reachability game on M, We 
construct a SOCN M such that V wins in the SOCN-reachability game on M if 
and only if V wins in the letter game on M. 

The high-level idea of the construction is such that in a play of the letter 
game on M, the players V and J create a transcript of a run of M. This is done 
by V ensuring that picking the letters in M corresponds to picking a transition 
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out of V states in M. Since J resolves the non-determinism in the letter game 
on M, her choice of transitions correspond to transitions out of a A state in the 
SOCN-reachability game. 

However, there are some subtleties in the construction as we need to ensure 
a few important aspects while constructing M. Firstly, any sequence of letters 
chosen by V in M’s letter game so far must correspond to a run in M and 
secondly, the interplay between 4’s and V’s choices in the letter game of M 
must correspond to the choices of the player ^ and V respectively in the SOCN- 
reachability game of M. These are the main challenges while constructing such 
an OCN W and they are resolved by the use of a few gadgets. 


We conclude this subsection by combining Proposition 24 and Lemma 25 to 
obtain the following theorem. 


Theorem 26. Given a SOCN N, deciding if N is history-deterministic is 
EXPSPACE-complete. 


5.2 Deciding History-Determinsm for OCA 


We show that, given a one-counter automaton A, deciding if A is history- 
deterministic is undecidable. It was shown by Guha, Jecker, Lehtinen, and Zim- 
mermann [18] that deciding if a given non-deterministic pushdown automaton is 
history-deterministic is undecidable. This extends their result to OCAs, which 
follows via a reduction from checking for language inclusion for deterministic 
one-counter automata (DOCA), which is known to be undecidable [28]. 


Theorem 27. Given an OCA A, deciding if A is history-deterministic is un- 
decidable. 


Proof (Sketch). Consider the following problem : 
DOCA Inclusion: Given two DOCAs A and B, is L(A) C L(B)? 


The above problem was shown to be undecidable in Section 5.1 of Valiant’s 
thesis [28]. We show that the problem of deciding if a given one-counter automa- 
ton is history-deterministic is also undecidable, by giving a reduction from the 
DOCA inclusion problem to checking for history-determinism of a given OCA. 


6 Discussion 


We showed several decision problems related to history-determinism to be de- 
cidable over OCNs. This is unlike other classes of infinite-state systems that 
subsume them, where either some or all of these problems are undecidable. 

We note that we only deal with realtime nets with no e-transitions, but our 
results hold without too much modification when e-transitions are present, as 
weak simulation over OCNs can be decided in PSPACE (and EXPSPACE for 
a succinct encoding), and the weak simulation pre-order is semilinear as well [24]. 
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We also showed that testing the counter for zero made checking for history- 
determinism undecidable. Along these lines, one could ask about models like 
reversal bounded one-counter automata [38], or automata with bounded number 
of zero-tests, to gauge the frontier between decidability and undecidability on 
these systems. 

Although not obvious from the main part of the paper, we are confident that 
our results could easily be extended to safety acceptance conditions. One could 
also ask, for instance, to look at reachability or Biichi and co-Biichi acceptance 
conditions and understand how history-determinism works in these models. 

There are several questions about the expressivity of history-deterministic 
OCNs which we believe need further study. Overloading the notation and as- 
suming DOCN, DOCA, OCN, HD-OCN and HD-OCA to denote the class of 
languages that are accepted by the corresponding models, we have shown that 


DOCN c HD-OCN C OCN N DOCA. 


An interesting problem would be to prove or disprove if any of these inclusions 
are strict. In fact, we don’t have an example of a language that is accepted by a 
history-deterministic OCN which is not accepted by a deterministic OCN. 

One could ask similar questions about expressivity of history-determinism 
in OCAs, i.e. if HD-OCA = DOCA. Although deciding history-determinism is 
undecidable, it might be possible for one to show that the language accepted by 
a history-deterministic OCA is as expressive as deterministic OCA. We remark 
that the 1-token game G4 characterises history-determinisation for OCAs as well. 
Moreover, we can again show with similar techniques that if history-deterministic 
OCAs satisfy the semilinear-strategy property, then these languages can also be 
expressed by a deterministic OCA. The key part that we need to prove for 
determinisation of history-deterministic OCA would be the semilinear-strategy 
property. It would be interesting to see how such a proof would look like, given 
that checking for history-determinism is undecidable for OCAs. 
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Abstract. We consider a general class of decision problems concerning 
formal languages, called (one-dimensional) unboundedness predicates”, 
for automata that feature reversal-bounded counters (RBCA). We show 
that each problem in this class reduces—non-deterministically in polyno- 
mial time—to the same problem for just finite automata. We also show 
an analogous reduction for automata that have access to both a push- 
down stack and reversal-bounded counters (PRBCA). 

This allows us to answer several open questions: For example, we show 
that it is coNP-complete to decide whether a given (P)RBCA language 
L is bounded, meaning whether there exist words wi,...,wn with L C 
wi- - w. For PRBCA, even decidability was open. Our methods also 
show that there is no language of a (P)RBCA of intermediate growth. 
This means, the number of words of each length grows either polynomi- 
ally or exponentially. Part of our proof is likely of independent interest: 
We show that one can translate an RBCA into a machine with Z-counters 
in logarithmic space, while preserving the accepted language. 


Keywords: Formal languages - Decidability - Complexity - Counter 
automata - Reversal-bounded - Pushdown - Boundedness - Unbound- 
edness 


1 Introduction 


A classic idea in the theory of formal languages is the concept of boundedness 
of a language. A language L over an alphabet X is called bounded if there ex- 
ists a number n € N and words w1,..., Wn E &* such that L C wf.. wš. 
What makes boundedness important is that a rich variety of algorithmic prob- 
lems become decidable for bounded languages. For example, when Ginsburg and 
Spanier |25] introduced boundedness in 1964, they already showed that given 
two context-free languages, one of them bounded, one can decide inclusion [25, 
Theorem 6.3]. This is because if L C wł --- w% for a context-free language, then 
the set {(£1,..., £n) E N” | wP- we € L} is effectively semilinear, which 
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permits expressing inclusion in Presburger arithmetic. Here, boundedness is a 
crucial assumption: Hopcroft has shown that if Lo C X* is context-free, then 
the problem of deciding Lo C L for a given context-free language L is decidable 
if and only if Lo is bounded [35, Theorem 3.3]. 

The idea of translating questions about bounded languages into Presburger 
arithmetic has been applied in several other contexts. For example, Esparza, 
Ganty, and Majumdar [20] have shown that many classes of infinite-state systems 
are perfect modulo bounded languages, meaning that the bounded languages form 
a subclass that is amenable to many algorithmic problems. As another example, 
the subword ordering has a decidable first-order theory on bounded context- 
free languages [45], whereas on languages X*, even the existential theory is 
undecidable [33]. This, in turn, implies that initial limit Datalog is decidable for 
the subword ordering on bounded context-free languages [7]. Finally, bounded 
context-free languages can be closely approximated by regular ones [16]. 

This raises the question of how one can decide whether a given language 
is bounded. For context-free languages this problem is decidable [25, Theo- 
rem 5.2(a)| in polynomial time [24, Theorem 19]. 


Boundedness for RBCA. Despite the importance of boundedness, it had been 
open for many years |9, 17]! whether boundedness is decidable for one of the most 
well-studied types of infinite-state systems: reversal-bounded (multi-)counter au- 
tomata (RBCA). These are machines with counters that can be incremented, 
decremented, and even tested for zero. However, in order to achieve decidability 
of basic questions, there is a bound on the number of times each counter can re- 
verse, that is, switch between incrementing and decrementing phases. They were 
first studied in the 1970s [2, 36] and have received a lot of attention since [8— 
13, 18, 23, 28, 32, 33, 39-41, 58]. The desirable properties mentioned above for 
bounded context-free languages also apply to bounded RBCA. Furthermore, any 
bounded language accepted by an RBCA (even one augmented with a stack) can 
be effectively determinized [38] (see also [9, 11]), opening up even more avenues 
to algorithmic analysis. This makes it surprising that decidability of boundedness 
remained open for many years. 

Decidability of boundedness for RBCA was settled in [15], which proves 
boundedness decidable even for the larger class of vector addition systems with 
states (VASS), with acceptance by configuration. However, the results from [15] 
leave several aspects unclarified, which we investigate here: 


Q1: What is the complexity of deciding boundedness for RBCA? The algorithm 
in [15] employs the KLMST decomposition for VASS [43, 46, 48, 50, 54], 
which is well-known to incur Ackermannian complexity [49]. 

Q2: Is boundedness decidable for pushdown RBCA (PRBCA) [36]? These are 
automata which, in addition to reversal-bounded counters, feature a stack. 
They can model recursive programs with numeric data types [32]. Whether 
boundedness is decidable was stated as open in [17, 18]. 


1 Note that [9] is about Parikh automata, which are equivalent to RBCA. 
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Q3: Are there languages of RBCA of intermediate growth? As far as we know, 
this is a long-standing open question in itself [37]. The growth of a language 
L C X* is the counting function gr: N > N, where gz(n) is the number 
of words of length n in L. This concept is closely tied to boundedness: 
For regular and context-free languages, it is known that a language has 
polynomial growth if and only if it is bounded (and it has exponential 
growth otherwise). A language is said to have intermediate growth if it has 
neither polynomial nor exponential growth. 


Contribution I: We prove versions of one of the main results in [15], one for 
RBCA and one for PRBCA. Specifically, the paper [15] not only shows that 
boundedness is decidable for VASS, but it introduces a general class of un- 
boundedness predicates for formal languages. It is then shown in [15] that any 
unboundedness predicate is decidable for VASS if and only if it is decidable for 
regular languages. Our first two main results are: 


MRI: Deciding any unboundedness predicate for RBCA reduces in NP to de- 
ciding the same predicate for regular languages. 

MR2: Deciding any unboundedness predicate for PRBCA reduces in NP to de- 
ciding the same predicate for context-free languages. 


However, it should be noted that our results only apply to those unboundedness 
predicates from [15] that are one-dimensional. Fortunately, these are enough for 
our applications. These results allow us to settle questions (Q1)—(Q3) above and 
derive the exact complexity of several other problems. It follows that bounded- 
ness for both RBCA and PRBCA is coNP-complete, thus answering (Q1) and 
(Q2). Furthermore, the proof shows that if boundedness of a PRBCA does not 
hold, then its language has exponential growth. This implies that there are no 
RBCA languages of intermediate growth (thus settling (Q3)), and even that the 
same holds for PRBCA. In particular, deciding polynomial growth of (P)RBCA 
is coNP-complete and deciding exponential growth of (P)RBCA is NP-complete. 
We can also derive from our result that deciding whether a (P)RBCA language 
is infinite is NP-complete (but this also follows easily from [82], see Section 2). 
Finally, our results imply that it is PSPACE-complete to decide if an RBCA 
language L C X* is factor universal, meaning it contains every word of X* as a 
factor (i.e. as an infix). Whether this problem is decidable for RBCA was also 
left as an open problem in [17, 18] (under the name infix density). 

We prove our results (MR1) and (MR2) by first translating (P)RBCA into 
models that have Z-counters instead of reversal-bounded counters. A Z-counter 
is one that can be incremented and decremented, but cannot be tested for zero. 
Moreover, it can assume negative values. With these counters, acceptance is 
defined by reaching a configuration where all counters are zero (in particular, 
the acceptance condition permits a single zero-test on each counter). Here, finite 
automata with Z-counters are called Z- VASS [29]. Z-counters are also known as 
blind counters [26] and it is a standard fact that RBCA are equivalent (in terms 
of accepted languages) to Z-VASS [26, Theorem 2]. 
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Problem Z-VASS /RBCA Z-grammars/PRBCA 
Boundedness coNP-complete coNP-complete 
Finiteness coNP-complete coNP-complete 


Factor universality PSPACE-complete undecidable 


Table 1. Complexity results. The completeness statements are meant with respect to 
deterministic logspace reductions. 


Despite the equivalence between RBCA and Z-VASS being so well-known, 
there was apparently no known translation from RBCA to Z-VASS in polynomial 
time. Here, the difficulty stems from simulating zero-tests (which can occur an 
unbounded number of times in an RBCA): To simulate these, the Z-VASS needs 
to keep track of which counter has completed which incrementing /decrementing 
phase, using only polynomially many control states. It is also not obvious how 
to employ the Z-counters for this, as they are only checked in the end. 


Contribution II: As the first step of showing (MR1), we show that 


MR3: RBCA can be translated (preserving the language) into Z-VASS in loga- 


rithmic space. 


This also implies that translations to and from another equivalent model, Parikh 
automata [41], are possible in polynomial time: It was recently shown that Parikh 
automata (which have received much attention in recent years [6, 8-10, 13, 22]) 
can be translated in polynomial time into Z-VASS [30]. Together with our new 
result, this implies that one can translate among RBCA, Z-VASS, and Parikh 
automata in polynomial time. Furthermore, our result yields a logspace trans- 
lation of PRBCA into Z-grammars, an extension of context-free grammars with 
Z-counters. The latter is the first step for (MR2). 


2 Main Results: Unboundedness and (P)RBCA 


Reversal-bounded counter automata and pushdowns. A pushdown au- 
tomaton with k counters is a tuple A = (Q,2',I,qo,T, F) where Q is a finite 
set of states, X is an input alphabet, I" is a stack alphabet, go € Q is an initial 
state, T is a finite set of transitions (p, w,op,q) E Q x X* x Opx Q, and F CQ 
is a set of final states. Here Op is defined as 


Op = {inc;, dec;, zero;,nz; | 1 <i < k} UTUTTU {e}, 


containing counter and stack operations. Here F = {7 | y € I’} is a disjoint copy 
of I. A configuration is a tuple (p,a,v) € Q x T* x N®. We write (p,a, u) = 
(p', a’, u’) if there is a (p, w, op, p’) € T such that one of the following holds: 


— op = inc;, u’ = u + e;, and a’ = a where e; € N* is the i-th unit vector, 
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— op = dec;, u’ = u—e;, and a’ =a, 

— op = zero;, ult] = 0, u’ = u, and a’ =a 
— op = nz;, ult] # 0, u’ = u, and a’ =a, 
—op= 7 €T, wu =u, and a’ = ay, 

— op=yeTl,wu' = u, and a'y = q, 

— op =€, u’ = u, and a’ =a. 


We extend this notation to longer runs in the natural way. 

A (k,r)-PRBCA (pushdown reversal-bounded counter automaton) (A,r) 
consists of a pushdown automaton with k counters A and a number r € N, 
encoded in unary. A counter c; reverses if the last (non-test) operation affect- 
ing it was inc; and the next operation is dec;, or vice versa. A run is r-reversal 
bounded if every counter reverses at most r times. The language of (A,r) is 


L(A,r) = {w € X* | Jq € F, r-reversal bounded run (qo,£, 0) “> (q, £, 0)}. 


A (k,r)-RBCA (reversal-bounded counter automaton) is a (k,r)-PRBCA 
where A only uses counter operations. We denote by RBCA and PRBCA the 
class of (P)RBCA languages. 

Notice that we impose the reversal bound externally (following [32]) whereas 
in alternative definitions found in the literature the automaton has to ensure 
internally that the number of reversals on every (accepting) run does not ex- 
ceed r, e.g. [36]. Clearly, our definition subsumes the latter one; in particular, 
Theorem 1 also holds for (P)RBCAs with an internally checked reversal bound. 

A d-dimensional Z-VASS (Z-vector addition system with states) is a tuple 
V = (Q, X, qo, T, F), where Q is a finite set of states, X is an alphabet, qo E€ Q 
is an initial state, T is a finite set of transitions (p, w, v, p') € Q x X* xZ xQ, 
and F C Q is a set of final states. A configuration of a Z-VASS is a tuple 
(p, v) € Q x Z*. We write (p,u) “> (p', u’) if there is a transition (p, w, v, p') 
such that u’ = u +v. We extend this notation to longer runs in the natural way. 
The language of the Z-VASS is defined as 


L(V) = {w € &* | dq e€ F: (qo,0) S (q, 0)}. 


A (d-dimensional) Z-grammar is a tuple G = (N, X, S, P) with disjoint finite 
sets N and X of nonterminal and terminal symbols, a start nonterminal S € N, 
and a finite set of productions P of the form (A, u,v) € N x (N U X)* x Zt. We 
also write (A > u,v) instead of (A, u,v). We call v the (counter) effect of the 
production (A > u,v). For words x,y € (N U X)*, we write x >” y if there is 
a production (A — u,v) such that x = rAs and y = rus. Moreover, we write 
xz Š” y if there are words 21,...,2n E€ (N U X)* and v1,...,Un € Z? with 
GSM a Sve SY Tn = y and v = v,4+--:+v,. We use the notation > 
if the counter effects do not matter: We have x => y if there exists v such that 
© >v y; and similarly for +. If derivations are restricted to a subset Q C P of 
productions, we write >Q (resp. 5ọ ). 

The language of the Z-grammar G is the set of all words w € X* such that 
S S° w. In other words, if there exists a derivation S = w where the effects 
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of all occurring productions sum to the zero vector 0. Z-grammars of dimension 
d are also known as valence grammars over Z? [21]. 

For our purposes it suffices to assume a unary encoding of the Z7-vectors 
(effects) occurring in Z-VASS and Z-grammars. However, this is not a restriction: 
Counter updates with n-bit binary encoded numbers can be easily simulated 
with unary encodings at the expense of dn many fresh counters (see the full 
version [5]). 


Conversion results. The following is our first main theorem: 


Theorem 1. RBCA can be converted into Z-VASS in logarithmic space. 
PRBCA can be converted into Z-grammars in logarithmic space. 


By convert, we mean a translation that preserves the accepted (resp. generated) 
language. There are several machine models that are equivalent (in terms of 
accepted languages) to RBCA. With Theorem 1, we provide the last missing 
translation: 


Corollary 1. The following models can be converted into each other in logarith- 
mic space: (i) RBCA, (ii) Z-VASS, (iii) Parikh automata with IPA acceptance, 


and (iv) Parikh automata with semilinear acceptance. 


Roughly speaking, a Parikh automaton is a machine with counters that can 
only be incremented. Then, a run is accepting if the final counter values be- 
long to some semilinear set. Parikh automata were introduced by Klaedtke and 
Ruef [41], where the acceptance condition is specified using a semilinear rep- 
resentation (with base and period vectors), yielding (iv) above. As done, e.g., 
in [33], one could also specify it using an existential Presburger formula (briefly 
JPA), yielding the model in (iii) above. Theorem 1 proves (i)=(ii), whereas 
(ii) (i) is easy (a clever and very efficient translation is given in [40, Theorem 
4.5]). Moreover, (ii)=(iii) and (ii)=(iv) are clear as well. For (iii) (ii), one can 
proceed as in [30, Prop. V.1], and (iv)=-(ii) is also simple. 


Unboundedness predicates. We shall use Theorem 1 to prove our second 
main theorem, which involves unboundedness predicates as introduced in [15]. 
In [15], unboundedness predicates can be one-dimensional or multi-dimensional, 
but in this work, we only consider one-dimensional unboundedness predicates. 
Let X be an alphabet. A (language) predicate is a set of languages over X. If 
p is a predicate and L C X* is a language, then we write p(L) to denote that p 
holds for the language L (i.e. L € p). A predicate p is called a (one-dimensional) 
unboundedness predicate if the following conditions are met for all K, L C X*: 
(U1) If p(K) and K CL, then p(L). (U3) If p(k - L), then p(k) or p(L). 
(U2) If p(K U L), then p(K) or p(L). (U4) p(L) if and only if p(F(Z)). 


Here F(L) = {v € &* | Ju,w € X*: uvw €E L} is the set of factors of L 
(sometimes also called infixes). In particular, the last condition says that p only 
depends on the set of factors occurring in a language. 
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For an unboundedness predicate p and a class C of finitely represented lan- 
guages (such as automata or grammars), let p(C) denote the problem of deciding 
p for a given language L from C. Formally, p(C) is the following decision problem: 


Given A language L from C. 
Question Does p(L) hold? 


For example, p(RBCA) is the problem of deciding p for reversal-bounded multi- 
counter automata and p(NFA) is the problem of deciding p for NFAs. We mention 
that the axioms (U1)—(U4) are slightly stronger than the axioms used in [15], 
but the resulting set of decision problems is the same with either definition 
(since in [15], one always decides whether p(F(L)) holds). Thus, the statement of 
Theorem 2 is unaffected by which definition is used. See the full version [5] for 
details. 

The following examples of (one-dimensional) unboundedness predicates for 
languages L C X* have already been established in [15]. We mention them here 
to give an intuition for the range of applications of our results: 


Not being bounded Let Protb( L) if and only if L is not a bounded language. 
Non-emptiness Let pzg(L) if and only if L £0. 

Infinity Let p.(Z) if and only if L is infinite. 

Factor-universality Let pfuni(Z) if and only if X* C F(Z). 


It is not difficult to prove that these are unboundedness predicates, but proofs 
can be found in [15]. The following is our second main theorem: 


Theorem 2. Let p be a one-dimensional unboundedness predicate. There is an 
NP reduction from p(PRBCA) to p(PDA). Moreover, there is an NP reduction 
from p(RBCA) to p(NFA). 


Here, an NP reduction from problem A C X* to B C X* is a non-deterministic 
polynomial-time Turing machine such that for every input word w € X*, we 
have w € A iff there exists a run of the Turing machine producing a word in B. 
Let us now see some applications of Theorem 2, see also Table 1. The following 
completeness results are all meant w.r.t. deterministic logspace reductions. 


Corollary 2. Boundedness for PRBCA and for RBCA is coNP-complete. 


For Corollary 2, we argue that deciding non-boundedness is NP-complete. To 
this end, we apply Theorem 2 to the predicate Pnotb and obtain an NP upper 
bound, because boundedness for context-free languages is decidable in polyno- 
mial time [24]. The NP lower bound follows easily from NP-hardness of the 
non-emptiness problem for RBCA [28, Theorem 3] and thus PRBCA. 


Corollary 3. Finiteness for PRBCA and for RBCA is coNP-complete. 


We show Corollary 3 by proving that checking infinity is NP-complete. The upper 
bound follows from Theorem 2 via the predicate poo. As above, NP-hardness is 
inherited from the non-emptiness problem for RBCA and PRBCA. 
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The results in Corollary 3 are, however, not new. They follow directly from 
the fact that for a given PRBCA (or RBCA), one can construct in polynomial 
time a formula in existential Presburger arithmetic (SPA) for its Parikh image, 
as shown in [36] for RBCA and in [32] for PRBCA. It is a standard result about 
JPA that for each formula y, there exists a bound B such that (i) B is at most 
exponential in the size of y and (ii) y defines an infinite set if and only if y 
is satisfied for some vector with some entry above B. For example, this can be 
deduced from [53]. Therefore, one can easily construct a second JPA formula y’ 
such that y defines an infinite set if and only if y’ is satisfiable. 


Corollary 4. Factor universality for RBCA is PSPACE-complete. 


Whether factor universality is decidable for RBCA was left as an open problem 
in [17, 18] (there under the term infix density). Corollary 4 follows from Theo- 
rem 2 using pfuni, because factor universality for NFAs is PSPACE-complete: To 
decide if X* C F(R), for a regular language R, we can just compute an automa- 
ton for F(R) and check inclusion in PSPACE. For the lower bound, one can reduce 
the PSPACE-complete universality problem for NFAs, since for R C X*, the lan- 
guage (R#)* C (U{#})* is factor universal if only if R = X*. Note that factor 
universality is known to be undecidable already for one-counter languages [18], 
and thus in particular for PRBCA. However, it is decidable for pushdown au- 
tomata with a bounded number of reversals of the stack [18]. 


Beyond pushdowns. Theorem 2 raises the question of whether for any class 
M of machines, one can reduce any unboundedness predicates for M extended 
with reversal-bounded counters to the same predicate for just M. This is not the 
case: For example, consider second-order pushdown automata, short 2-PDA. If 
we extend these by adding reversal-bounded counters, then we obtain 2-PRBCA. 
Then, the infinity problem is decidable for 2-PDA [34] (see [3, 4, 14, 31, 52, 56] 
for stronger results). However, the class of 2-PRBCA does not even have decid- 
able emptiness, let alone decidable infinity. This is shown in [57, Proposition 7] 
(see [42, Theorem 4] for an alternative proof). Thus, infinity for 2-PRBCA can- 
not be reduced to infinity for 2-PDA. 


Growth. Finally, we employ the methods of the proof of Theorem 2 to show 
a dichotomy of the growth behavior of languages accepted by RBCA. For an 
alphabet X, we denote by XS™ the set of all words over X of length at most m. 
We say that a language L C X* has polynomial growth? if there is a polynomial 
p(x) such that |LA YS™| < p(m) for all m > 0. Languages of polynomial growth 
are also called sparse or poly-slender. We say that L has exponential growth if 
there is a real number r > 1 such hat |LNYS™| > r™ for infinitely many m. Since 
a language of the form wł -+ w% clearly has polynomial growth, it is well-known 
that bounded languages have polynomial growth. We show that (a) within the 
PRBCA languages (and in particular within the RBCA languages), the converse 


? In [24], polynomial and exponential growth are defined with X™ in place of US", 
but this leads to equivalent notions, see the full version [5]. 
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is true as well and (b) all other languages have exponential growth (in contrast 
to some models, such as 2-PDA [27], where this dichotomy does not hold): 


Theorem 3. Let L be a language accepted by a PRBCA. Then L has polynomial 
growth if and only if L is bounded. If L is not bounded, it has exponential growth. 


3 Translating reversal-bounded counters into Z-counters 


Reducing the number of reversals to one. In this section we prove Theo- 
rem 1, the conversion from RBCA to Z-VASS. In [28, Lemma 1], it is claimed 
that given a (k,r)-RBCA, one can construct in time polynomial in k and r a 
(k[(r + 1)/2],1)-RBCA that accepts the same language. The reference [2] that 
they provide does include such a construction [2, proof of Theorem 5]. The con- 
struction in [2] is only a rough sketch and makes no claims about complexity, 
but by our reading of the construction, it keeps track of the reversals of each 
counter in the state, which would result in an exponential blow-up. 

Instead, we proceed as follows. Consider a (k,r)-RBCA with counters 
Cj,..-,Cx. Without loss of generality, assume r = 2m — 1. We will construct 
an equivalent (2k(r + 1),1)-RBCA. Looking at the behavior of a single counter 
c;, we can decompose every r-reversal bounded run into subruns without rever- 
sals. We call these subruns phases and number them from 1 to at most 2m. The 
odd (even) numbered phases are positive (negative), where c; is only incremented 
(decremented). We replace c; by m one-reversal counters ¢;,1,..., Cim, Where ¢;,; 
records the increments on c; during the positive phase 2j — 1. 

However, our machine needs to keep track of which counters are in which 
phase, in order to know which of the counters c; j it currently has to use. We 
achieve this as follows: For each of the k counters c;, we also have an additional 
set of 2m = r + 1 “phase counters” pj1,.-.,Pi,2m to store which phase we are in. 
This gives km + k(r +1) < 2k(r +1) counters in total. We encode that counter 
c; is in phase j by setting p; to 1 and setting p; j to 0 for each 7’ # j. Since 
we only ever increase the phase, the phase counters are one-reversal as well. 

Using non-zero-tests, at any point, the automaton can nondeterministically 
guess and verify the current phase of each counter. This allows it to pick the 
correct counter C; j for each instruction. When counter c; is in a positive phase 
2j — 1, then increments and decrements on c; are simulated as follows: 


increment increment C; j 

decrement go into the next (negative) phase 27; then non-deterministically 
pick some £ € [1,7] and decrement c;,¢. We cannot simply decrement C; j as 
we might have switched to phase j while c; had a non-zero value and hence 
it is possible that c; could be decremented further than just c; ; allows. 


When counter c; is in a negative phase 27, then we simulate increments and 
decrements as follows: 


increment go into the next phase 27 + 1 (unless 7 = m; then the machine 
blocks) and increment ¢;,;41. 
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decrement non-deterministically pick some £ € [1,7] and decrement c; g. 


Finally, to simulate a zero-test on c;, we test all counters Cj,1,...,Cijm for zero, 
while for the simulation of a non-zero-test on c; we non-deterministically pick 
one of the counters ¢;1,...,Ci,m to test for non-zero. 

Correctness can be easily verified by the following properties. If at some point 
ci is in phase 27 — 1 or 2j then (i) Xj; Cie = Ci, (ii) the counters c1,...,¢4,5 
have made at most one reversal, and (iii) the counters ¢;,;41,...,Ci,m have not 
been touched (in particular, they are zero). Furthermore, if c; is in a positive 
phase 27 — 1 then c;,; has made no reversal yet. 

Note that this construction replaces every transition of the original system 
with O(r) new transitions (and states). Our construction therefore yields only 
a linear blowup in the size of the system (constant if r is fixed). See the full 
version |5] for the details of the construction. 


From 1-reversal to Z-counters. We now turn the (k,1)-RBCA into a Z- 
VASS. The difference between a 1-reversal-bounded counter and a Z-counter 
is that (i) a non-negative counter should block if it is decremented on counter 
value 0, and (ii) a l-reversal-bounded counter allows (non-)zero-tests. Observe 
that all zero-tests occur before the first increment or after the last decrement. 
All non-zero-tests occur between the first increment and the last decrement. 

If the number k of counters is bounded, then the following simple solution 
works. The Z-VASS stores the information which of the counters has not been 
incremented yet and which counters will not be incremented again in the future. 
This information suffices to simulate the counters faithfully (in terms of the 
properties (i) and (ii) above) and increases the state space by a factor of 2* . 2*, 
The latter information needs to be guessed (by the automaton) and is verified 
by means that all counters are zero in the end. 

In the general case we introduce a variant of Z-VASS that can guess poly- 
nomially many bits in the beginning and read them throughout the run. A 
d-dimensional Z-VASS with guessing (Z-VASSG) has almost the same format 
as a d-dimensional Z-VASS, except that each transition additionally carries a 
propositional formula over some finite set of variables X. A word w € X* is 
accepted by the Z-VASSG if there exists an assignment v: X — {0,1} and an 
accepting run (qo,0) ~» (q,0) for some q € F such that all formulas appearing 
throughout the run are satisfied by v. 

We have to eliminate zero- and non-zero-tests of the (k,1)-RBCA. Whether 
a (non-)zero-test is successful depends on which phase a counter is currently 
in (and whether in the end, every counter is zero; but we assume that our 
acceptance condition ensures this). Each counter goes through at most 4 phases: 


1. before the first increment, 3. the “decrement phase”, and 
2. the “increment phase”, 4. after the last decrement. 


Hence, every run can be decomposed into 4k (possibly empty) segments, in which 
no counter changes its phase. The idea is to guess the phase of each counter 
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in each segment. Hence, we have propositional variables p; je for i € [1, 4k], 
j € (1, k], and £ € [1,4]. Then p;,;,¢ is true iff in segment i, counter j is in phase £. 
We will have to check that the assignment is admissible for each counter, meaning 
that the sequence of phases for each counter adheres to the order described above. 

We modify the machine as follows. In its state, it keeps a number i € [1, 4k] 
which holds the current segment. At the beginning of the run, the machine checks 
that the assignment v is admissible using a propositional formula: It checks that 
(i) for each segment i and each counter j there exists exactly one phase £ so 
that p; j, is true, and (ii) the order of phases above is obeyed. Then, for every 
operation on a counter, the machine checks that the operation is consistent with 
the current segment. Moreover, if the current operation warrants a change of the 
segment, then the segment counter 7 is incremented. For example, if a counter 
in phase 1 is incremented, it switches to phase 2 and the segment counter is 
incremented; or, if a counter in phase 3 is tested for zero, it switches to phase 4 
and the segment counter is incremented. 

With these modifications, we can zero-test by checking variables correspond- 
ing to the current segment: A zero-test can only succeed in phase 1 and 4. 
Similarly, for a non-zero-test, we can check if the counter is in phase 2 or 3. 


Turning a Z-VASSG into a Z-VASS. To handle the general case mentioned 
above, we need to show how to convert Z-VASSG into ordinary Z-VASS. In a 
preparatory step, we ensure that each formula is a literal. A transition labeled by 
a formula y is replaced by a series-parallel graph: After bringing y in negation 
normal form by pushing negations inwards, we can replace conjunctions by a 
series composition and disjunctions by a parallel composition (non-determinism). 

The Z-VASS works as follows. In addition to the original counters of the Z- 
VASSG, it has for each variable x € X two additional counters: x™ and x~. Here, 
x? (x) counts how many times x is read with a positive (negative) assignment. 
By making sure that either xt = 0 or x~ = 0 in the end, we guarantee that we 
always read the same value of x. 

Thus, in order to check a literal, our Z-VASS increments the corresponding 
counter. In the end, before reaching a final state, it goes through each variable 
x € X and either enters a loop decrementing x* or a loop decrementing x7. 
Then, it can reach the zero vector only if all variable checks had been consistent. 


From PRBCA to Zgrammars. It remains to convert in logspace an (r, k)- 
PRBCA into an equivalent Z-grammar. Just as for converting an RBCA into 
a Z-VASS, one can convert a PRBCA into an equivalent Z-PVASS (pushdown 
vector addition system with Z-counters). Afterwards, one applies the classical 
transformation from pushdown automata to context-free grammars (a.k.a. triple 
construction), cf. [1, Lemma 2.26]: We introduce for every state pair (p,q) a 
nonterminal X, q, deriving all words which are read between p to q (starting 
and ending with empty stacks). For example, we introduce productions Xp, > 
aX qb for all push transitions (p,a,7,p’) and pop transitions (q',b,7,q). The 
counter effects of transitions in the Z-PVASS (vectors in Z*) are translated into 
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effects of the productions, e.g. the effect of the production Xp 4 > aX>p qb above 
is the sum of the effects of the corresponding push- and pop-transition. 


4 Deciding unboundedness predicates 


Proof overview. In this section, we prove Theorem 2. Let us begin with a 
sketch. Our task is to take a PRBCA A and non-deterministically compute a 
PDA A’ so that L(A) satisfies p if and only if some of the outcomes for A’ satisfy 
p. It will be clear from the construction that if the input was an RBCA, then 
the resulting PDA will be an NFA. Using Theorem 1 we will phrase the main 
part of the reduction in terms of Z-grammars, meaning we take a Z-grammar G 
as input and non-deterministically compute context-free grammars G”. 

The idea of the reduction is to identify a set of productions in G that, in 
some appropriate sense, can be canceled (regarding the integer counter values) 
by a collection of other productions. Then, G” is obtained by only using a set of 
productions that can be canceled. Moreover, these productions are used regard- 
less of what counter updates they perform. Then, to show the correctness, we 
argue in two directions: First, we show that any word derivable by G” occurs as 
a factor of L(G). Essentially, this is because each production used in G’ can be 
canceled by adding more productions in G, thus yielding a complete derivation of 
G. Thus, we have that L(G’) C F(L(G)), which by the axioms of unboundedness 
predicates means that p(Z(G’)) implies p(L(G)). Second, we show that L(G) is 
a finite union of products (i.e. concatenations) P; = Lı - Lo- -- Lp such that each 
L; is either finite or included in L(G’) for some G’ among all non-deterministic 
outcomes. Again, by the axioms of unboundedness predicates, this means that 
if p(Z(G)), then p(Z(G’)) must hold for some G”. 


Unboundedness predicates and finite languages. Before we start with the 
proof, let us observe that we may assume that our unboundedness predicate is 
only satisfied for infinite sets. First, suppose p is satisfied for {e}. This implies 
that p = pzg and hence we can just decide whether p(L) by deciding whether 
L # Ú, which can be done in NP [32]. From now on, suppose that p is not 
satisfied for {e}. Consider the alphabet ©) := {a € X | p({a})}. Now observe 
that if K C X* is finite, then by the axioms of unboundedness predicates, we 
have p(K) if and only if some letter from X; appears in K. Thus, if L C (X'\11)*, 
then p(Z) can only hold if L is infinite. This motivates the following definition. 
Given a language L C X*, we define 


i= X), deine es. 


Then, p(L) if and only if p(Zo) or p(L1). Moreover, p(Z1) is equivalent to Lı # 0. 

Therefore, our reduction proceeds as follows. We construct (P)RBCA for Lo 
and for Lı. This can be done in logspace, because intersections with regular 
languages can be done with a simple product construction. Then, we check in 
NP whether Lı Æ 0. If yes, then we return “unbounded”. If no, we regard p as an 
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unboundedness predicate on languages over X \ X4 with the additional property 
that p is only satisfied for infinite languages. Thus, it suffices to prove Theorem 2 
in the case that p is only satisfied for infinite sets. 


Pumps and cancelation. In order to define our notion of cancelable produc- 
tions, we need some terminology. We will need to argue about derivation trees 
for Z-grammars. For any alphabet I’ and d € N, let Tra be the set of all fi- 
nite trees where every node is labeled by both (i) a letter from I’ and (ii) a 
vector from Z?. Suppose G = (N, X, P, S) is a d-dimensional Z-grammar. For 
a production p = (A > u,v), we write (p) := v for its associated counter 
effect. To each derivation in G, we associate a derivation tree from Tyuy,a as for 
context-free grammars. The only difference is that whenever we apply a produc- 
tion (A > u,v), then the node corresponding to the rewritten A is also labeled 
with v. As in context-free grammars, the leaf nodes carry terminal letters; their 
vector label is just 0 € Z*. 

We extend the map y to both vectors in N? and to derivation trees. If u € NP, 
then y(u) = >? pep (p) ulp]. Similarly, if 7 is a derivation tree, then (7) € Zf is 
the sum of all labels from Z%. A derivation tree 7 for a derivation A + wis called 
complete if A = S, u € X* and y(r) = 0. In other words, r derives a terminal 
word and the total counter effect of the derivation is zero. For such a complete 
derivation, we also write yield(r) for the word u. A derivation tree 7 is called a 
pump if it is the derivation tree of a derivation of the form A = wAv for some 
u,v E€ X* and A € N. A subset M C N of the non-terminals is called realizable 
if there exists a complete derivation of G that contains all non-terminals in M 
and no non-terminals outside of M. 


A production p in P is called M-cancelable if there exist pumps 7,..., T (for 
some k € N) such that (i) p occurs in some 7; and (ii) p(71) +--+ ¢(Tr) = 0, ice. 
the total counter effect of 71,...,7% is zero and (iii) all productions in 71,..., Tp 


only use non-terminals from M. We say that a subset Q C P is M-cancelable if 
all productions in Q are M-cancelable. 


The reduction. Using the notions of M-cancelable productions, we are ready 
to describe how the context-free grammars are constructed. Suppose that M is 
realizable, that Q C P is M-cancelable, and that A € M. Consider the language 


Lag = {u,v € X* | J derivation A 49 uAv}. 


Thus L4,Q consists of all words u and v appearing in derivations (whose counter 
values are not necessarily zero) of the form A = wAv, if we only use M- 
cancelable productions. The L4,g will be the languages L(G’) mentioned above. 

It is an easy observation that we can, given G and a subset Q C P, construct 
a context-free grammar for LAQ: 


Lemma 1. Given a Z-grammar G, a non-terminal A, and a subset Q C P, we 
can construct in logspace a context-free grammar for Lao. Moreover, if G is 
left-linear, then the construction yields an NFA for Lag. 
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We provide details in the full version [5]. Now, our reduction works as follows: 


1. Guess a subset M C N and an A € M; verify that M is realizable. 
2. Guess a subset Q C P; verify that Q is M-cancelable. 
3. Compute a context-free grammar for LAQ- 


Here, we need to show that steps 1 and 2 can be done in NP: 


Lemma 2. Given a subset M C N, we can check in NP whether M is realizable. 
Moreover, given M C N and p E€ P, we can check in NP if p is M-cancelable. 


Both can be done using the fact that for a given context-free grammar, one 
can construct a Parikh-equivalent existential Presburger formula [55] and the 
fact that satisfiability of existential Presburger formulas is in NP. See the full 
version [5] for details. This completes the description of our reduction. Therefore, 
it remains to show correctness of the reduction. In other words, to prove: 


Proposition 1. We have p(L(G)) if and only if p(La,q) for some subset Q C P 
such that there is a realizable M C N with A€ M and Q being M-cancelable. 


Proposition 1 will be shown in two lemmas: 


Lemma 3. If M is realizable and Q is M-cancelable, then Lag C F(L(G)) for 
every AE M. 


Lemma 4. L(G) is included in a finite union of sets of the form Kı- Kə- Km, 
where each K; is either finite or a set Lag, where Q is M-cancelable for some 
realizable M C N, and AE M. 


Let us see why Proposition 1 follows from Lemmas 3 and 4. 


Proof (Proposition 1). We begin with the “if” direction. Thus, suppose p(LA,Q) 
for A and Q as described. Then by Lemma 3 and the first and fourth axioms of 
unboundedness predicates, this implies p(L(G)). 

For the “only if” direction, suppose p(Z(G)). By the first axiom of unbound- 
edness predicates, p must hold for the finite union provided by Lemma 4. By 
the second axiom, this implies that p(AK1--- Km) for a finite product Kı --- Km 
as in Lemma 4. Moreover, by the third axiom, this implies that p(K;) for some 
i € {1,...,m}. If K; is finite, then by assumption, p(K;) does not hold. There- 
fore, we must have p(K;) for some K; = L4,g, as required. 


Flows. It remains to prove Lemmas 3 and 4. We begin with Lemma 3 and for 
this we need some more terminology. Let X be an alphabet. By Y: X* > N*, 
we denote the Parikh map, which is defined as ¥(w)(a) = |w|q for w € X* and 
a € X. In other words, Y(w)(a) is the number of occurrences of a in w € X*. If 
IC X is a subset, then mp: X* — I™* is the homomorphism with ap(a) = € for 
a € X \T and 7r(a) =a for a € I’. We also call wp the projection to I. 
Suppose we have a Z-grammar G = (N, X, P, S) with non-terminals N and 
productions P. For a derivation tree r, we write W(r) for the vector in N? that 
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counts how many times each production appears in r. We introduce a map ð, 
which counts how many non-terminals each production consumes and produces. 
Formally, 0: N? — ZN is the monoid homomorphism that sends the production 
p = A > w to the vector 0(p) = —A +W(mn(w)). Here, —A € Z denotes the 
vector with —1 at the position of A and 0 everywhere else. A vector u € NP is a 
flow if O(w) = 0. Observe that a derivation tree 7 is a pump if and only if Y(r) 
is a flow. In this case, we also call the vector u € NP with u = V(r) a pump. 

The following lemma will provide an easy way to construct derivations. It is 
a well-known result by Esparza [19, Theorem 3.1], and has since been exploited 
in several results on context-free grammars. Our formulation is slightly weaker 
than Esparza’s. However, it is enough for our purposes and admits a simple 
proof, which is inspired by a proof of Kufleitner [44]. 


Lemma 5. Let f € NP. Then f is a flow if and only if it is a sum of pumps. 


Proof. The “if” direction is trivial, because every pump is clearly a flow. Con- 
versely, suppose f € NP is a flow. We can clearly write f = Y(T) +---+¥V(tm), 
where T1,...,Tn are derivation trees: We can just view each production in f as 
its own derivation tree. Now suppose that we have f = W(7,) +---+W(t,) so 
that n is minimal. We claim that then, each 7; is a pump, proving the lemma. 

Suppose not, then without loss of generality, 7, is not a pump. Since 7, is 
a derivation, this means ¥ (71) cannot be a flow and thus there must be a non- 
terminal A with 0(7,)(A) 4 0. 

Let us first assume that O(7)(A) > 0. This means there is a non-terminal 
A occurring at a leaf of 7, such that A is not the start symbol of tı. Since 
f =V(71)+---+(T,) is a flow, we must have 0(W(t2)+---+W(7,))(A) < 0. This, 
in turn, is only possible if some 7; has A as its start symbol. We can therefore 
merge 7, and 7; by replacing 7;’s A-labelled leaf by the new subtree rj. We 
obtain a new collection of n — 1 trees whose Parikh image is f, in contradiction 
to the choice of n. If 0(7)(A) < 0, then there must be a 7; with O(7;)(A) > 0 
and thus we can insert 7; below 7;, reaching a similar contradiction. 


Constructing derivations. Using flows, we can now prove Lemma 3. 


Proof. Suppose there is a derivation T: A +g uAv with A € M and u,v € X*. 
We have to show that both u and v occur in some word w € L(G). Furthermore, 
if G is in Chomsky normal form, we can choose w such that |w| is linear in |u| 
and |v|. Our goal is to construct a derivation of G in which we find u and v as 
factors. We could obtain a derivation tree by inserting 7 into some derivation tree 
for G (at some occurrence of A), but this might yield non-zero counter values. 
Therefore, we will use the fact that Q is M-cancelable to find other pumps that 
can be inserted as well in order to bring the counter back to zero. 

Since M C N is realizable, there exists a complete derivation 7) that derives 
some word wo E€ L(G) and uses precisely the non-terminals in M. Since Q C P 
is M-cancelable, we know that for each production p € Q, there exist pumps 
T1,-+-,T7 Such that (i) p occurs in some 7;, (ii) (T1) +--+ (Tk) = 0 and 
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(iii) all productions in 7,,...,7, only use non-terminals in M. This allows us 
to define fp := Y (T1) +---+ (tr). Observe that fp contains only productions 
with non-terminals from M, we have f,[p] > 0, and (fp) = 0. We can use the 
flows fp to find the desired canceling pumps. Since by Lemma 5, every flow can 
be decomposed into a sum of pumps, it suffices to construct a particular flow. 
Specifically, we look for a flow f, € NP such that: 


1. any production p with f,[p] > 0 uses only non-terminals from M, and 
2. o(f-+V(r)) = 0. 


The first condition ensures that all the resulting pumps can be inserted into 7. 
The second condition ensures that the resulting total counter values will be zero. 
We claim that with 


fe =| XO fp | -— 8), (1) 


PEQ 
we achieve these conditions. First, observe that f, € NP: We have 


fila = Yla: fala -Y)lal = Yel: (Falal - 1) 


which is at least zero as f,[q] must be non-zero by definition. Second, note that 
f- is indeed a flow, because it is a Z-linear combination of flows. Moreover, all 
productions appearing in f+ also appear in fp for some p € Q or in T, meaning 
that all non-terminals must belong to M. Finally, the total counter effect of 
f- +Y(r) is zero as fr + Y(T) = $ peo Y(7)[p] - fp is a sum of flows each with 
total counter effect zero. 


Now, since f, is a flow, Lemma 5 tells us that there are pumps 7/,...,7/, 
such that fr = W(7{) +--+ (Tl ). Therefore, inserting T and 7;,...,7/, into 


To must yield a derivation of a word that has both u and v as factors and also 
has counter value 


9(70) + P(T) + (71) + +++ 9(Tm) = 0. 
Sv —— 
=0 =(r)+e(f-)=0 


Thus, we have a complete derivation of G. Hence LA, C F(L(G)). 


Decomposition into finite union. It remains to prove Lemma 4. For the 
decomposition, we show that there exists a finite set Do of complete derivations 
such that all complete derivations of G can be obtained from some derivation in 
Do and then inserting pumps that produce words in Lg, for some appropriate 
Aand Q. Here, it is key that the set Do of “base derivations” is finite. Showing this 
for context-free grammars would just require a simple “unpumping” argument 
based on the pigeonhole principle as in Parikh’s theorem [51]. However, in the 
case of Z-grammars, where Do should only contain derivations that have counter 
value zero, this is not obvious. To achieve this, we employ a well-quasi ordering on 
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(labeled) trees. Recall that a quasi ordering is a reflexive and transitive ordering. 
For a quasi ordering (X,<) and a subset Y C X, we write Y f for the set 
{xe X|3JyEY: y< zr}. We say that (X,<) is a well-quasi ordering (WQO) if 
every non-empty subset Y C X has a finite subset Yo C Y such that Y C Yof. 
We define an ordering on all trees in Tyus,a. A tree s is a subtree of t if there 
exists a node x int such that s consists of all nodes of t that are descendants of x. 


If 71,.-., Tn are trees, then we denote by r[71,...,7,] the tree with a root node r 
and the subtrees 71,...,7 directly under the root. Now let r = (A, u)[71,.-., 7] 
and 7’ = (B,v)[o1,...,%m] be trees in Tyuy,a. We define the ordering < as 


follows. If n = 0 (i.e. 7 consists of only one node), then we have T < 7’ if and 
only if A= B and m = 0. If n > 1, then we define inductively: 


TST <=> A=B and J subtree T” = (A, u')[ri,..., T4] of T 


with 7 <7; for i = 1,...,n 


Based on <, we define as slight refinement: We write r E 7’ if and only if T < 7’ 
and the set of non-terminals appearing in 7 is the same as in 7’. 


C) isa WQO. 


Lemma 6. (Tyus.a; 


Proof. In [47, Lemma 3.3], it was shown that < is a WQO. Then E is the product 
of equality on a finite set, which is a WQO, and the WQO <x. Oo 


Lemma 6 allows us to decompose L(G) into a finite union: For each complete 
derivation 7 of G, we define 


L,(G) = {w € &* | 3 complete derivation 7’ with r E 7’ and yield(r’) = w}. 


Lemma 7. There exists a finite set Do C Tnuy,a of complete derivations of G 
such that L(G) = Uep, Lr(G)- 


Proof. Since (Twus,a, E) is a WQO, the set D C Tnur.a of all complete deriva- 
tions of G has a finite subset Do with D C Dot. This implies the lemma. 


Decomposition into finite product. In light of Lemma 7, it remains to be 
shown that for each tree 7, we can find a product Ky,-K2---: Km of languages such 
that L(G) C Ky-K2--- Km and each K; is either finite or is of the form Ly.g. 
We construct the overapproximation of L, (G) inductively as follows. Let M C N 
and Q C P be subsets of the non-terminals and the productions, respectively. 
If r has one node, labeled by a € X, then we set Appg(T) := {a}. Moreover, if 
T = (A, u)[Ti,...,Tn] for A € N and trees 71,...,7, then we set 


Appg(T) := La,Q : APPa(T1) - APPg(T2) --- APPg(™) - La,q- 


Finally, we set App(T) := Appg(T), where Q C P is the set of all M-cancelable 
productions, where M is the set of all non-terminals appearing in T. Now clearly, 
each App(r) is a finite product Ky - Kə- -- Km as desired: This follows by induc- 
tion on the size of r. Thus, to prove Lemma 4, the following suffices: 
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Lemma 8. For every complete derivation tree T of G, we have L(G) C App(r). 


Proof. Suppose w € L,(G) is derived using a complete derivation tree r’ with 
7 Cr’. Then, the set of non-terminals appearing in 7 must be the same as in 
7’; we denote it by M. Let Q C P be the set of all M-cancelable productions. 
Moreover, since T < 7’, we can observe that there exist pumps T1, ...,Tn with 
root non-terminals A,,...,A, and nodes 2),...,2, in T such that r’ can be 
obtained from 7 by replacing each node «x; by the pump 7;. 

Since both r and 7’ are complete derivations of G, each must have counter 
effect 0. Thus, 9(71)+:--+Y(™m) = y(7’)—(T) = 0. Hence, the pumps 71,..., Tr 
witness that the productions appearing in 7),..., 7, are M-cancelable. Thus, the 
derivation corresponding to 7; uses only productions in Q and thus 7; corresponds 
to A; ŠQ u;Av; for some u;, vi and we have u;, vi € Lag. 


5 Growth 


In this section, we prove Theorem 3. Since clearly, a bounded language has 
polynomial growth, it remains to be shown that if L is accepted by a PRBCA and 
L is not bounded, then it has exponential growth. For two languages D1, L2 C 
S/*, we write Lı yin L2 if there exists a constant c € N such that for every 
word w, € L4, there exists w € Lo with |wə| < c- |wı| and w; is a factor of wo. 
It is not difficult to observe that for two languages Li, Lo C X*, if Ly Siin L2 
and Lı has exponential growth, then so does Lə. 

In order to show Theorem 3, we need an adapted version of Lemma 3. A 
Z-grammar is in Chomsky normal form if all productions are of the form (A > 
BC,v) or (A > a,v) with A,B,C € N, a € X, and u,v € Z*. In other 
words, the context-free grammar obtained by forgetting all counter vectors is 
in Chomsky normal form. Fernau and Stiebe [21, Proposition 5.12] have shown 
that every Z-grammar has an equivalent Z-grammar in Chomsky normal form. 


Lemma 9. If G = (N, X, P,S) is a Z-grammar in Chomsky normal form, M C 
N is realizable, Q C P is M-cancelable, and A € M, then Lag Onin L(G). 


This is shown essentially the same way as Lemma 3. Let us now show that if a 
language L accepted by a PRBCA is not bounded, then it must have exponential 
growth. We have seen above that as a PRBCA language, L is generated by some 
Z-grammar. As shown by Fernau and Stiebe [21, Proposition 5.12], this implies 
that L = L(G) for some Z-grammar G in Chomsky normal form. Since L is not 
bounded, Lemma 4 yields A and Q such that L4,Q is not a bounded language. It 
is well-known that any context-free language that is not bounded has exponential 
growth (this fact has apparently been independently discovered at least six times, 
see [24] for references). Thus, L4,q has exponential growth. By Lemma 9, we 
have LA, Q iin L and thus L has exponential growth. 
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for constructing an existential Presburger formula for the Parikh image of a 
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Abstract. Reversibility is the capability of a system of undoing its own 
actions starting from the last performed one, in such a way that a past 
consistent state is reached. This is not trivial for concurrent systems, as 
the last performed action may not be uniquely identifiable. There are 
several approaches to address causality-consistent reversibility, some in- 
cluding a notion of forward-reverse bisimilarity. We introduce a minimal 
process calculus for reversible systems to investigate compositionality 
properties and equational characterizations of forward-reverse bisimilar- 
ity as well as of its two components, i.e., forward bisimilarity and reverse 
bisimilarity, so as to highlight their differences. The study is conducted 
not only in a nondeterministic setting, but also in a stochastic one where 
time reversibility and lumpability for Markov chains are exploited. 


1 Introduction 


Reversibility started to receive attention in computing several decades ago [15,3]. 
Landauer’s principle states that any irreversible manipulation of information, 
such as bit erasure or computation path merging, must be accompanied by a 
corresponding entropy increase. Therefore, any reversible computation, in which 
no information is lost, may be potentially carried out without releasing any heat. 
Nowadays, reversible computing has many applications ranging from biochemi- 
cal reaction modeling and parallel discrete-event simulation to robotics, control 
theory, fault tolerant systems, and concurrent program debugging. 

In a reversible system, we can observe two directions of computation: a for- 
ward one, coinciding with the normal way of computing, and a backward one, 
along which the effects of the forward one are undone when needed in a causally 
consistent way, i.e., by returning to a past consistent state. The latter task is 
not easy to accomplish in a concurrent system, because the undo procedure 
necessarily starts from the last performed action and this may not be unique. 
The usually adopted strategy is that an action can be undone provided that all 
of its consequences, if any, have been undone beforehand. 

In the process algebra literature, two approaches have been developed to 
reverse a computation based on keeping track of past actions: the dynamic one 
of [7] and the static one of [24]. The former yields RCCS, a variant of CCS [20] 
that uses stack-based memories attached to processes to record all the actions 
executed by those processes. In contrast, the latter proposes a general method, 
of which CCSK is a result, to reverse calculi, relying on the idea of retaining 
within the process syntax all executed actions and dynamic operators. 
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In [24] forward-reverse bisimilarity is introduced too. Unlike standard bisim- 
ilarity [22,20], it is truly concurrent as it does not satisfy the expansion law of 
parallel composition into a choice among all possible action sequencings. The 
interleaving view can be restored by employing back-and-forth bisimilarity [8]. 
This is defined on computation paths instead of states, thus preserving not only 
causality but also history as backward moves have to occur along the path fol- 
lowed when going forward even in the presence of concurrency. 

In this paper, we investigate compositionality properties and equational char- 
acterizations of forward-reverse bisimilarity as well as of its two components, i.e., 
forward bisimilarity and reverse bisimilarity, so as to highlight their differences. 
To this purpose, we introduce a minimal calculus including only the terminated 
process 0, the unary action prefix operator a._ where a stands for an action, 
and the binary alternative composition operator -+ _ also called choice. These 
operators are enough to compare the essential features of the three equivalences, 
in a neutral way with respect to interleaving view vs. true concurrency. 

The paper is divided into two parts. In Section 2, we conduct our study on 
nondeterministic reversible processes, with the operational semantic rules de- 
fined in the style of [24] generating only forward transitions that are viewed as 
bidirectional, in lieu of a forward transition relation separated from a backward 
transition relation. In Section 3, we repeat our study on stochastic reversible pro- 
cesses, whose operational semantic rules in the style of [24] generate a single tran- 
sition relation encompassing both forward transitions and backward transitions, 
by exploiting time reversibility [13] and lumpability [14] for Markov chains. In 
Section 4, we recap the differences between forward and reverse bisimilarities. 


2 The Nondeterministic Case 


In this section, we investigate forward bisimilarity, reverse bisimilarity, and 
forward-reverse bisimilarity over nondeterministic reversible processes. We start 
by introducing the syntax (Section 2.1) and the semantics (Section 2.2) for these 
processes through a minimal calculus, then we provide the definitions of the three 
equivalences (Section 2.3) and we study their congruence properties (Section 2.4) 
and equational characterizations (Section 2.5). 


2.1 Syntax of Nondeterministic Reversible Processes 


In the formalization of a process, we usually describe only its future behavior, 
hence the following syntax for sequential processes where a € A: 
P:s=0O0|a.P|P+P 
However, in order to support the definition of the semantics in the style of [24], we 
need to enrich the syntax above with information about the past, i.e., the actions 
that have already been executed. Due to the absence of a parallel composition 
operator, unlike [24] there is no need to add communication keys to executed 
actions. It thus suffices to mark them with some symbol, which we choose to 
be f. This yields the following syntax extended with information about the past: 
P := 0|a.P|a.P|P+P 
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We can syntactically characterize several classes of processes generated by the 
grammar above through suitable predicates. Firstly, we have initial processes, 
i.e., processes in which all the actions are unexecuted: 

initial(Q) 
initial(a.P) <= initial(P) 
initial(P, + P2) <= initial(P,) A initial P2) 

Secondly, we have final processes, i.e., processes in which all the actions along 

a single path have been executed: 

final(Q) 
final(at. P) <= final(P) 
final(P, + P2) <= (final(P,) A initial( P2)) V 
(initial(P,) A final(P2)) 

Multiple paths arise only in the presence of alternative compositions. At each 
occurrence of +, only the subprocess chosen for execution advances, while the 
other one, although not selected, is kept as an initial subprocess within the 
overall process to support the definition of the semantics in the style of [24]. 

Thirdly, we have the processes that are reachable from an initial one, whose 

set we denote by P: 
reachable(Q) 
reachable(a.P) <= initial(P) 
reachable(at. P) <= reachable(P) 
reachable(P, + P2) <= (reachable(P,) A initial( P2)) V 
initial( P1) A reachable(P2)) 


—_~— 


It is worth noting that: 


— 0 is the only process that is both initial and final as well as reachable. 

— Any initial or final process is reachable too. 

— P also contains processes that are neither initial nor final, like e.g. at. P with 
initial(P) and P 4 0. 

— The relative positions of already executed actions and actions to be executed 
matter; in particular, an action of the former kind can never follow one of 
the latter kind. For instance, at.b. P € P if initial(P) whereas b.at. P ¢ P. 


2.2 Semantics of Nondeterministic Reversible Processes 


According to the approach of [24], dynamic operators such as action prefix and 
alternative composition have to be made static by the semantics, so as to retain 
within the syntax all the information needed to enable reversibility. For the sake 
of minimality, unlike [24] we do not generate two distinct transition relations — a 
forward one —> and a backward one —~» — but a single transition relation, which 
we implicitly regard as being symmetric like in [8] to enforce the loop property: 
any executed action can be undone and any undone action can be redone. 

In our setting, a backward transition from P’ to P (P’ ae P) is subsumed 
by the corresponding forward transition t from P to P’ (P—*> P’). As will 
become clear with the definition of behavioral equivalences in Section 2.3, like 
in [8] when going forward we view t as an outgoing transition of P, while when 
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initial(P) P—+P 
AON, — r ae ACT) Tob Fa 
a.P—>a'.P a’.P—>a'.P 
Ga: P 5P - A Ges: Pa 5 P, - a 
Pi + P2 — Pi +P Pi + Po — Pi + P 


Table 1. Operational semantic rules for nondeterministic reversible processes 


going backward we view t as an incoming transition of P’. The semantic rules in 
Table 1 generate the labeled transition system (P, A, —>) where — C Px AxP. 

The first rule for action prefix (ACT, where f stands for forward) applies 
only if P is initial and retains the executed action in the target process of the 
generated forward transition by decorating the action itself with +. The second 
rule for action prefix (ACT, where p stands for propagation) propagates actions 
executed by inner initial subprocesses. 

In both rules for alternative composition (CHO; and CHO, where | stands 
for left and r stands for right), the subprocess that has not been selected for 
execution is retained as an initial subprocess in the target process of the gen- 
erated transition. When both subprocesses are initial, both rules for alternative 
composition are applicable, otherwise only one of them can be applied and in 
that case it is the non-initial subprocess that can move, because the other one 
has been discarded at the moment of the selection. 

Any state corresponding to a process different from 0 has at least one out- 
going transition and exactly one incoming transition due to the decoration of 
executed actions. The labeled transition system underlying an initial process 
turns out to be a tree, whose branching points correspond to occurrences of +. 


Example 1. The labeled transition systems generated by the rules in Table 1 
for the two initial processes a.0 + a.0 and a.0 are depicted below: 


a.Q0+a.0 a.0 
cas 
a.Q+a.0 a.0+a..0 a.0 


As far as the one on the left is concerned, we observe that, in the case of a 
standard process calculus, a single a-transition from a.0+a.0 to 0 would have 
been generated due to the absence of action decorations within processes. a 


2.3 Bisimilarities for Nondeterministic Reversible Processes 


The asymmetry between the relative positions of already executed actions and 
actions to be executed within reachable processes, as well as the asymmetry 
between the use of predicates initial and final in the operational semantic rules, 
determine a number of asymmetries between forward and reverse bisimilarity 
defined below that will become evident in Sections 2.4 and 2.5. 
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The difference between the definitions of forward bisimilarity and reverse 
bisimilarity is that the former considers only outgoing transitions [22,20] whereas 
the latter considers only incoming transitions. We also address forward-reverse 
bisimilarity [24], which considers both outgoing transitions and incoming ones. 
All the equivalences are strong, i.e., they do not abstract from invisible actions. 


Definition 1. We say that P,, P2 € P are forward bisimilar, written Pi ~pp Pz, 
iff (Pı, P2) € B for some forward bisimulation B. A symmetric relation B over P 
is a forward bisimulation iff for all (P1, P2) € B anda €A: 


— Whenever P, — P!, then Pa — P} with (PI, PL) € B. a 


Definition 2. We say that P,, P> € P are reverse bisimilar, written Pi ~pp Pz, 
iff (Pi, P2) € B for some reverse bisimulation B. A symmetric relation B over P 
is a reverse bisimulation iff for all (Pi, P2) € B anda€ A: 


— Whenever P! + P,, then P} — P, with (P{, P3) € B. a 


Definition 3. We say that Pı, P> € P are forward-reverse bisimilar, written 
Pi ~rrp Po, iff (Pi, P2) € B for some forward-reverse bisimulation B. A sym- 
metric relation B over P is a forward-reverse bisimulation iff for all (P,, P2) € B 
anda€é A: 


— Whenever Pi = P!, then P> + P} with (P{, PL) € B. 
— Whenever P! = P,, then P — P> with (P{, PL) € B. | 


It holds that ~ppp G ~rp N ~re. The inclusion is strict because for example 
the two final processes a'.0 and at.0 + ¢.0 are identified by ~pp and by ~pRB, 
but distinguished by ~prp as in the latter process action c is enabled again after 
undoing a. Moreover, ~pp and ~rpg are incomparable because for instance: 

a'.0~pp 0 but al.0 pp 0 

a.0~Rp 0 but a.0 pp 0 
The first asymmetry is that ~pRp = ~Fp over initial processes, with ~Rp strictly 
coarser, whilst ~prp Æ ~re over final processes because, after going backward, 
previously discarded subprocesses come into play again in the forward direction. 


Example 2. The two processes shown in Example 1 are identified by all the 
three equivalences. This is witnessed by any bisimulation that contains the pairs 
(a.0+a.0,a.0), (at.0+a.0,a'.0), and (a.0+ at.0,a'.0). a 


2.4 Congruence Properties 


In principle, it makes sense that ~pp identifies processes with a different past 
and that ~pp identifies processes with a different future, in particular with 0 that 
has neither past nor future. However, for ~pg this results in a compositionality 
violation with respect to alternative composition. As an example: 
at.b.0 NFB b.0 
al.b.0+c¢.0 EB b.0+c.0 
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because in at.b.0 + ¢.0 action c is disabled due to the presence of the already 
executed action al, while in 6.0 + c.0 action c is enabled as there are no past 
actions preventing it from occurring. Note that a similar phenomenon does not 
happen with ~pp as a!.b.0 “pp b.0 due to the incoming a-transition of at. b. 0, 
thus yielding the second asymmetry between forward and reverse bisimilarity. 

This problem, which does not show up for ~pp and ~prp because these two 
equivalences cannot identify an initial process with a non-initial one, leads to 
the following variant of ~pp that is sensitive to the presence of the past. 


Definition 4. We say that P,,P2 € P are past-sensitive forward bisimilar, 
written Pi ~Fp ps Po, iff (Pi, P2) E B for some past-sensitive forward bisimula- 
tion B. A symmetric relation B over P is a past-sensitive forward bisimulation iff 
for all (P\, Po) €B: 


— initial(P,) = > initial( P2). 
— For alla € A, whenever P, — P!, then Py — P} with (P!, P) € B. E 


Now ~FB,ps is sensitive to the presence of the past: 
atł.b.0 FB,ps 5.0 
but can still identify non-initial processes having a different past: 
al sl? ™FB,ps al EP 
It holds that ~FRB = ~FB,ps N ~RB;, with ~FRB = ~FB,ps OVEr initial processes 
as well as ~FB,ps and ~pg being incomparable because e.g. for a1 # ag: 
al . P ~FB ps a}. P but al . P ZRB a}. P 
aı . P ~gg a2. P but ai. P %FB,ps @2. P 
We conclude by formalizing the congruence properties of all the considered 
equivalences. When present in the results below, side conditions just ensure that 
the overall processes are reachable. 


Theorem 1. Let ~€ {~FB, ~FB,ps: “RB; ~FRB}, ~’ © {~FB,ps;: “RB, “FRB }; 
and P,, P> € P: 


— If Pi ~ P, then for alla € A: 
e a. Pı ~ a. P provided that initial( P1) A^ initial( P2). 
e at. Pi oo at. P>. 
— If P, ~’ Pz then for all P € P: 
e P +P ~ P +P and P+ P, ~ P + Po provided that initial(P) V 
(initial( P1) A initial( P2)). 
— ~FB,ps 18 the coarsest congruence with respect to + contained in ~pp. E 


2.5 Equational Characterizations 


We now investigate the equational characterizations of ~FB,ps; “RB, and ~FRB 
so as to highlight the fundamental laws of these behavioral equivalences. In the 
following, by deduction system we mean a set comprising the following axioms 
and inference rules on P — possibly enriched by a set of additional axioms A — 
corresponding to the fact that ~pp ps, “RB, and ~prp are equivalence relations 
as well as congruences with respect to action prefix and alternative composition: 
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(A1) (Pi + P2) +P3 = Pi + (P2 + P3) 

(A2) Pi+ P: = Ph +P 

(As) P+0=P 

(Aa) [~FB,ps GP = PP if sinitial(P) 

(As) [~FB.ps al Sel. P if initial(P) 

(As) [~FB,ps P+Q=P if ~initial(P), where initial(Q) 
(Az) [~rB] a.P =P where initial( P) 

(As) [~RB] P+Q=P if initial(Q) 

(A9) [~FB,ps P+P=P where initial(P) 

(Ato) [~FRB] P+Q=P if initial(Q) A to_initial(P) = Q 


Table 2. Axioms characterizing bisimilarity over nondeterministic reversible processes 


as ane PHP, PHP, P =P 
— Reflexivity, symmetry, transitivity: P = P, 


P, = P,’ P = P 

P, = Po initial(P,) A initial( P.: P= R 
— .-Substitutivity: : : (Pi) ( 2) 7 1 = : 
a.P,=a.P, a’. Py =a!'. Py 


P, = Po initial(P) V (initial(P,) A initial(P2)) 


— +-Substitutivity: 
P +P=P+P P+P,=P+P, 


It is well known that, in the case of bisimilarity over standard nondetermin- 
istic processes, alternative composition turns out to be associative and commu- 
tative and to admit 0 as neutral element [11]. The same holds true for ~pp_ps, 
~Rp, and ~prp because the two operational semantic rules for alternative com- 
position are symmetric and 0 has no outgoing or incoming transitions. This is 
formalized by axioms A, to Az in Table 2. 

Then, we have axioms specific to ~FB,ps- Axioms A, and A; together estab- 
lish that the past can be neglected when moving only forward, but the presence 
of the past cannot be ignored. Axiom Ag states that a previously non-selected 
alternative can be discarded after starting moving only forward. 

Likewise, we have axioms specific to ~pp. Axiom Ay means that the fu- 
ture can be completely canceled when moving only backward. Axiom Ag states 
that a previously non-selected alternative can be discarded when moving only 
backward. Since there are no constraints on P, axiom Ag subsumes axiom A3. 

Finally, the idempotency of alternative composition in the case of bisimilarity 
over standard nondeterministic processes, i.e., P+P = P [11], changes depending 
on the considered equivalence: 


— For ~Fp,ps, idempotency is explicitly formalized by axiom Ag, which we note 
to be disjoint from axiom Ag where P cannot be initial. 

— For ~pp, an additional axiom is not needed as idempotency follows from ax- 
iom Ag by taking Q equal to P. Thus, the third asymmetry between forward 
and reverse bisimilarity has to do with idempotency. 
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— For ~prp, idempotency is formalized by axiom A10, where function to_initial 
brings a process back to its initial version by removing all action decorations: 
to_initial(0) = 0 
to_initial(a.P) = a. P 
to_initial(a'. P) = a. to_initial(P) 
to_initial(P; + P2) = to_initial(P,) + to_initial( P2) 

This axiom appeared for the first time in [16] and subsumes axioms Ag 
and Ag for ~FB,ps as well as axiom Ag for ~Rp. 


To prove the ground completeness of the equational characterizations of the 
three considered bisimilarities, as usual we introduce equivalence-specific normal 
forms to which every process is shown to be reducible, then we work with normal 
forms only. All the three normal forms rely on the fact that alternative compo- 
sition is associative and commutative, hence the binary + can be generalized to 
the n-ary Jez for a finite nonempty index set J. In the following, we denote by 
F the deduction relation and we examine the sets of additional axioms below: 


= AFB,ps = {A1, A2, A3, Aa, As, A6, Ao}. 
— Ars = {A1, A2, A7, As}. 
— Arre = {A1, A2, A3, Aio}.- 


Definition 5. We say that P € P is in ~pp.ps-normal form, written ~FB ps-Nnf, 
iff it is equal to one of the following: 


= 0. 


— Vier 4i- Pi, where each P; is initial and in ~pp,ps-nf. 
— al. P, where P is initial and in ~FB,ps-Nf. E 


All initial processes without 0 summands are in ~fg,ps-nf. We observe that, in 
the second case, a1 . Pi ~FB,ps a2. P> trivially implies a; = az and Pi ~FB,ps P2- 
Likewise, in the third case, al . P) ~rp.ps a). Pz trivially implies P) ~pB,ps P2. 
These facts will be exploited in the proof of the forthcoming Theorem 2. 


Lemma 1. For all P € P there is Q € P in~ppps-nf such that Afg ps F P = Q. 
|| 


Theorem 2. Let P, Pz € P. Then Pı ™FB,ps P> iff AFB ,ps H Py = Py. E 


Definition 6. We say that P € P is in ~pp-normal form, written ~pp-nf, 
iff it is equal to one of the following: 


— 0. 
— at. P, where P is in ~Rp-nf. E 


The normal form above boils down to a final process consisting of a pos- 
sibly empty, finite sequence of already executed actions terminated by 0. As a 
consequence, a; . Pi ~RB al . Py with P; and P in ~gp-nf implies a, = az and 
Pi ~rp Pz, because al . Py and al . Pz must feature the same sequence of already 
executed actions and the last executed action of P, (resp. P2), when the process 
is different from 0, is the same as the last executed action of a! . P; (resp. af . P2). 
This fact will be exploited in the proof of the forthcoming Theorem 3. 
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Lemma 2. For all P € P there is Q € P in ~pp-nf such that Agg F P = Q. m 
Theorem 3. Let P,, P» € P. Then Pı NRB P> iff ARB H Pı = Pz. E 


Definition 7. We say that P € P is in ~prp-normal form, written ~pRp-nf, 
iff it is equal to one of the following: 
-— 0. 
— Dei ai. Pi, where each P; is initial and in ~prp-nf. 
— at. P, where P is in ~pRp-nf. 
—al.P+ rer ai. P;, where P is in ~prp-nf and each P; is initial and in 
~FRB-NÍ. E 


As for the second case above, which is concerned with initial processes, we 
observe that aı . Pi ~prp a2. P2 trivially implies a, = ag and P) ~prp P2. The 
last two cases together, which are concerned with non-initial processes, yield a 
process consisting of a finite sequence of already executed actions terminated by 
an initial process, such that every action in the sequence may have an initial 
process as an alternative. As a consequence, al .P, + Pi ~fFRB al Pp + P} 
with Pi, P2, P{, P} in ~prp-nf, Pj and P initial, and P] and P moving only 
when going back to to_initial(al .P,) and to_initial(al,. P2), implies ay = a2, 
Pi ~prp Pz, and PÍ ~prp P}. These facts will be exploited in the proof of the 
forthcoming Theorem 4. 


Lemma 3. For all P € P there is Q € P in ~prp-nf such that Arrr + P =Q. 
E 


Theorem 4. Let P,, P2 € P. Then P) ~rprp P iff ArrB + P = Py». E 


3 The Markovian Case 


In this section, we repeat the investigation over Markovian reversible processes. 
We start by recalling the theory of continuous-time Markov chains (Section 3.1) 
including time reversibility (Section 3.2) and lumpability (Section 3.3), then we 
introduce syntax and semantics for these processes (Section 3.4), we provide the 
definitions of the three equivalences (Section 3.5), and we study their congruence 
properties and equational characterizations (Section 3.6). 


3.1 Markov Chains: Definition, Representation, Terminology 


A Markov chain is a discrete-state stochastic process characterized by the mem- 
oryless property [14]. More precisely, a stochastic process X(t), t € R>o, over 
a discrete state space S is a continuous-time Markov chain (CTMC) iff for 
all n € N, time instants tọ < ti < =- < tn < tn+1 € Rso, and states 
S0; S1;-- -3 Sn; Sn+1 € S it holds that Pr{ X (tn+1) = Sn+1 | X (ti) = si; 0 < a < n} 
= Pr{X(tn4i) = Sn41 | X (tn) = Sn}, i.e., the probability of moving from one 
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state to another does not depend on the particular path that has been followed 
in the past to reach the current state, hence that path can be forgotten. 

A CTMC is representable as a labeled transition system or as a state-indexed 
matrix. In the first case, each transition is labeled with some probabilistic in- 
formation describing the evolution from the source state to the target state of 
the transition. In the second case, the same information is stored into an en- 
try, indexed by those two states, of a matrix. The value of this probabilistic 
information is a function of the time at which the state change takes place. 

For the sake of simplicity, we restrict ourselves to time-homogeneous CT MCs, 
in which conditional probabilities of the form Pr{X(t +t’) = s’ | X(t) = s} 
do not depend on t, so that the considered information is simply a positive 
real number given by limpo PARE CAOS This is called the rate at 
which the CTMC moves from state s to state s’ and uniquely characterizes the 
exponentially distributed time taken by the considered move. 

A CTMC is irreducible iff each of its states is reachable from every other state 
with probability greater than 0. A state s € S is recurrent iff the CTMC will 
eventually return to s with probability 1, in which case s is positive recurrent iff 
the expected number of steps until the CTMC returns to it is finite. A CTMC is 
ergodic iff it is irreducible and all of its states are positive recurrent; ergodicity 
coincides with irreducibility in the case that the CTMC has finitely many states. 

Every time-homogeneous and ergodic CTMC X(t) is stationary, which means 
that (X(t; + t'))i<i<n has the same joint distribution as (X (t;))ı<i<n for all 
n € N>ı and tı <--- < tn, t" € R>o. In this case, X(t) has a unique steady-state 
probability distribution m that for all s € S fulfills (s) = limo Pr{X(t) = s | 
X (0) = s'} for any s’ € S. These probabilities can be computed by solving the 
linear system of global balance equations m-Q = 0 subject to ` es T(5) = 1 
and m(s) € R>o for all s € S. The infinitesimal generator matrix Q contains for 
each pair of distinct states the rate of the corresponding move, which is 0 in the 
absence of a direct move between them, while qs s = —)°,, 4s ds,» for alls € S, 
i.e., every diagonal element contains the opposite of the total exit rate of the 
corresponding state, so that each row of Q sums up to 0. 


3.2 Time Reversibility of Continuous-Time Markov Chains 


Due to state space explosion and numerical stability problems [27], the calcula- 
tion of the solution of the global balance equation system is not always feasible. 
However, it can be tackled in the case that the behavior of the considered CTMC 
remains the same when the direction of time is reversed. A CTMC X(t) is time 
reversible iff (X (ti))ı<i<n has the same joint distribution as (X(t! — ti))1<i<n 
for all n € Ns; and tı <--- < ty,t/ € Rso. In this case, X(t) and its time- 
reversed version X'(t) = X(t’ — t) are stochastically identical, in particular 
they are stationary and share the same steady-state probability distribution 7. 
In order for a stationary CTMC X(t) to be time reversible, it is necessary and 
sufficient that the partial balance equations t(s) + qs, = T(S") + ds',5 are satisfied 
for all s,s’ € S such that s Æ s’ or, equivalently, that qs, .s5°---'sn_1.5n 'Usn.81 = 
Wei 6 Vin cy +> Gea, for all n € Nog and distinct. s1,...,Sn € S [13]. 
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The time-reversed version X"(t) of a stationary CTMC X(t) can be defined 
even when X(t) is not reversible. As shown in [13,10], this is accomplished by 
using the steady-state probability distribution m of X(t), with X*(t) turning out 
to be a CTMC too and having the same steady-state probability distribution 7. 
More precisely, @,.5, = sis; © ™(8i)/™(s;) for all s; # sj, i.e., the rate from 
state s; to state s; in the time-reversed CTMC is proportional to the rate from 
state s; to state sj in the original CTMC, where the coefficient is given by the 
ratio of m(s;) to m(s;). Note that the time-reversed version of X'(t) is X(t). 


3.3 Lumpability of Continuous-Time Markov Chains 


A different approach to the state space explosion problem consists of aggregating 
states and transitions in a suitable way. In particular, the focus is on exact ag- 
gregations, i.e., partitions of the state space such that the probability of being in 
any of the aggregated states is equal to the sum of the probabilities of the origi- 
nal states it contains. In the following, we consider a time-homogeneous CTMC 
X(t) with state space S and infinitesimal generator matrix Q; the formulas for 
the elements of the matrix of the resulting aggregations are taken from [2]. 

The first notion of exact aggregation that we address is strong lumpabil- 
ity [14]. It was later renamed ordinary lumpability in [28,5], which we prefer 
to adopt so as not to generate confusion with the use of strong and weak for 
behavioral equivalences in concurrency theory. 


Definition 8. The partition P induced by an equivalence relation L over S 
is an ordinary lumping iff for all (s1,s2) E L and C € P such that 81,59 ¢ C: 
Yetec asi,’ = Veeco s2,s! 

The resulting CTMC with state space P has infinitesimal generator matrix Q' 

defined as follows for all C,,C2 E P such that Ci Æ C2: 


/ = 
IC1,C2 > Lec qs,s' 
where s € Ci. rs) 


The second notion of exact aggregation is exact lumpability [25,28,5], which 
further enjoys the property that all the original states contained in the same 
aggregated state have the same probability. While ordinary lumpability considers 
the rates of outgoing transitions and does not check for rate equality within any 
class, exact lumpability considers the rates of incoming transitions and applies 
the rate equality check inside each class too. 


Definition 9. The partition P induced by an equivalence relation L over S 
is an exact lumping iff for all (81,52) E€ £L and C € P: 

dose Qs',s) = sec Ys’ ,s2 
The resulting CTMC with state space P has infinitesimal generator matrix Q' 
defined as follows for all C,,C2 E P such that Cy Æ C2: 


ICy,.C2 = ei qs',s ` ({C2|/|C1]) 
where s € Co. oO 


The third notion of exact aggregation is strict lumpability [5], which is a 
combination of the previous two. 
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Definition 10. The partition P induced by an equivalence relation L over S 
is a strict lumping iff it is both an ordinary lumping and an exact lumping. E 


The relationships between lumpability and time reversibility for CTMCs 
have been investigated in [18,19]: 


— An exact lumping of a CTMC corresponds to an ordinary lumping on the 
time-reversed CTMC. 

— An aggregation of a CTMC is a strict lumping iff it is a strict lumping for 
the time-reversed CTMC too. 

— An exact lumping of a CTMC is also an ordinary lumping whenever the 
CTMC is time reversible, while the vice versa does not hold in general. 


Example 3. Consider the three time-reversible, ergodic CTMCs depicted below: 


Ay+A, u 2 u 


When solving the global balance equations for the first CTMC from the left, 
we obtain: 


= Mack 
™(80) = OSEE 
ms) = pot Bae 
Hi MetArt H2 +À H1 
n(s ) = A2" HA 
2 Hai-H2+Ai-H2+A2- 
If \y = hs but Hı A H2, then no exact aggregation ‘exists for that CTMC. 
If poy = u2 Ê u but Ay Æ Ag, then the second CTMC from the left is an ordinary 


jeer of the first one, where the aggregated state s’ contains the two original 
states sı and sz and the solution of the global balance equations is the following: 


™(s0) = ITA Tz = (80) 
n(s') = HER = x(s1) + (52) 


with 1(s,) 4 1(s2). 

If ài = àz Ê A and Hı = H2 4 L, then the third CTMC from the left is a strict — 
i.e., ordinary and exact — lumping of the first one, where the aggregated state s” 
contains the two original states sı and s2 and the solution of the global balance 
equations is the following: 


rsh) = -Ex = a(s) 
(8!) = T = n(s1) + 1(82) 
with (51) = 7(s9). | 


Example 4. The considered notions of lumpability are distinct from each other. 
On the one hand, in the previous example the second CTMC from the left is an 
ordinary lumping of the first one, but not an exact lumping as 7(s1) 4 7(s2) 
when py = u2 and Ay Æ Ag. On the other hand, the CTMC on the right depicted 
below is an exact lumping of the CTMC on the left — where the aggregated 
state s’ contains the two original states sı and s2 — when p’ + u” = v +0" 

corresponding to s,s; +s9,s; = Ws1,82 + Is9,89; 1€, —(u’ +") +0 = 0-(v' +") 
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— but it is not an ordinary lumping if uw’ # v and u” Æ v": 


Note that the two CTMCs above are ergodic, but not time reversible. E 


3.4 Syntax and Semantics of Markovian Reversible Processes 


We have seen in Section 2 that a single forward transition relation is enough for 
nondeterministic processes in a reversible setting. This is due to the fact that 


P-S P iff P P, where according to [24] the backward transition relation 
—~ should be used in the second clause of the definition of ~prp and hence in 
the definition of ~pgg as well. 

A transition relation in a single direction is no longer sufficient in the case of 
Markovian reversible processes. The reason is that every transition of these pro- 
cesses is also labeled with its rate, a positive real number that uniquely identifies 
the exponentially distributed duration of the action associated with the transi- 
tion. In general, the rate may be different depending on whether the transition 
goes forward or backward, without necessarily affecting time reversibility. 

When moving from nondeterministic reversible processes to Markovian ones, 
in the syntax we thus need to replace a and at with <a, À, u> and <at, à, u> 
respectively, where À € Ryo is the rate of the forward a-transition whilst u € Ryo 
is the rate of the backward a-transition. Predicates initial, final, and reachable 
are extended accordingly and the set of reachable processes is denoted by Pm. 

In order for the semantics to be consistent with the CTMC theory recalled in 
Sections 3.1 to 3.3, we cannot use a transition relation —> with forward rates 
separated from a transition relation —~+ with backward rates, as would be the 
case if we applied the approach of [24]. For instance, the two Markovian processes 
depicted below would be identified by a Markovian variant of ~prp relying on 
— and —», but the CTMC underlying the labeled transition system of the 
process on the right is not an exact lumping of the CTMC underlying the labeled 
transition system of the process on the left if Ay Æ A2, i.e., this Markovian variant 
of ~prp would not induce strict lumping: 


<a, ^p >. 0 + <a, àp u>. 0 <a, i+ u>. 0 


a, A{+A2 | a,u 


<a\App>.0+<a,Azb>.0 <a App>.0+<alayu>.0 <a Ata u>. O 
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initial(P niti 
Ree “ (P) Aon. me) 
<a, à, u>. P 3 <ald, u>. P <a, à, u>. P 5m <a, à, u>. P 
Pe P’ 
ACT E 
<at, à, u>. P 5m <al,r, u>. P' 
a,€ 1 ETT a,€ 7 en hig 
Pim P) initial( P. Pz >y P: nitial( P. 
CHO; 1 M T1 4 ( 2) CHO, 2 MfFQ M ( 1) 


Pi + Po $m P! + Po Pi + Po 5m Pi + P3 


Table 3. Operational semantic rules for Markovian reversible processes 


We thus keep using a single transition relation, which is —m C Pm x (A x 
Rso) x Pm defined in Table 3. Unlike the one in Section 2.2, it embodies both 
transitions with forward rates and transitions with backward rates. This has 
been accomplished not only by extending all the rules in Table 1 according to 
the new richer syntax, but also by adding a rule for action prefix (ACT, where 
r stands for reverse) that generates transitions with backward rates. 

Any state corresponding to a process different from 0 can now have several 
incoming transitions too. The labeled transition system underlying an initial 
process turns out to be a tree-like extension of a birth-death process [23,21], with 
branching points corresponding to occurrences of +. The reason is that between 
any pair of connected states there can only be a transition from the former state 
to the latter and a transition from the latter state back to the former, with 
the two transitions sharing the same name as they are generated by the same 
action <a, à, u>. The underlying CTMC, obtained by removing actions from 
transitions, turns out to be not only ergodic, but also time reversible due to 
its tree-like birth-death structure [13]. The considered calculus thus combines 
causality-consistent reversibility with time reversibility like in [4]. 


Example 5. The labeled transition systems generated by the rules in Table 3 
for the two Markovian processes <a, A, u>.0+ <a, à, u>.0 and <a,A,p>.0 
are shown below: 


<a,A,u>.0+<a,A, u>. 0 <a, à, u>. 0 
aÀ au 
<a à, u>. 0 + <a, à, u>. 0 <a, à, u>. 0 + <a, À, u>. 0 <a, u>. 0 


The generation of a single a-transition from <a, À, y> .0 + <a, À, u> .0 on the 
left would have been wrong, as it would have not reflected the total exit rate 
2- À of the source state. Several solutions to this problem have been proposed for 
Markovian process calculi without reversibility, while in our setting the problem 
is naturally prevented by action decorations within processes. E 
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3.5 Bisimilarities for Markovian Reversible Processes 


We now define the Markovian variants of forward bisimilarity, reverse bisimi- 
larity, and forward-reverse bisimilarity based on the CTMC theory recalled in 
Sections 3.1 to 3.3. 

In the forward case, it is known that the (discrete-time) probabilistic bisim- 
ilarity of [17] and the (continuous-time) Markovian bisimilarity of [12] induce 
an ordinary lumping on the Markov chains underlying the considered processes, 
hence so does ~mrg below. Unlike Definition 8, in Definition 11 the rate equality 
check is applied inside each class too and hence not all ordinary lumpings can be 
induced by ~ppp, in particular not the one identifying every pair of processes. 

The reason is that while in Markov chain theory one is interested in state 
probabilities, in concurrency theory one experiments with processes by observ- 
ing the labels of the transitions that are executed [9,1,17]. In particular, two 
processes with different total exit rates cannot be identified by ~y)yrp below, 
which is perfectly justifiable from an observational viewpoint. As an example, 
consider a state with a self-looping A-transition and a state with a self-looping 
p-transition. The two states would be deemed ordinarily lumpable according to 
Definition 8, although the more A and p are different, the easier it is for an 
observer to tell those two states apart. 

In the following, {| and |} denote multiset parentheses, while Pm/5 is the set 
of equivalence classes induced by the equivalence relation B over Pm. 


Definition 11. We say that P,, Pj € Pm are Markovian forward bisimilar, writ- 
ten Pi ~urp Po, iff (Pi, P2) € B for some Markovian forward bisimulation B. 
An equivalence relation B over Pm is a Markovian forward bisimulation iff 
for all (Pi, P2) € B, a € A, and C € Py /B: 

rateout(Pi,a,C) = rateour(P2,a,C) 


where rateout(P,a,C) = X {E € Rso | SP’ € CP yr i}. a 


In the reverse case, incoming transitions are considered instead of outgoing 
ones. As in [6,26], in the definition of ~rp below an additional condition about 
total exit rate equality is needed, which in Definition 9 is naturally handled 
through the diagonal elements of the infinitesimal generator matrix. It is easily 
seen that ~mrep induces an exact lumping on the Markov chains underlying the 
considered processes, but not all exact lumpings can be induced. 


Definition 12. We say that P,, P> € Pm are Markovian reverse bisimilar, writ- 
ten Pi ~mrp Po, iff (Pi, P2) € B for some Markovian reverse bisimulation B. 
An equivalence relation B over Py is a Markovian reverse bisimulation iff 
for all (P,, P2) € B andaeé A: 
rateout(P1,a, Pm) = rateout(P2,a,Pm) 
and for all C € Pw /B: 
ratéin(Pi,a,C) = ratein(P2,a,C) 


where ratein(P,a,C) = XA E € R>o | AP’ € C. P' SSP i}. a 


| 


In the forward-reverse case, ~rrp below induces a strict lumping on the 
Markov chains underlying the considered processes. 
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Definition 13. We say that P,, P> E€ Py, are Markovian forward-reverse bisim- 
ilar, written Pi ~mrrp Po, iff (Pi, P2) € B for some Markovian forward-reverse 
bisimulation B. An equivalence relation B over Pm is a Markovian forward- 
reverse bisimulation iff for all (Pı, P2) € B, a € A, and C € Py /B: 
ratéout(P1,a,C) = rateout (P2, a, C) 
ratein(P1,a, C) = ratein(P2,a,C) E 


It is worth noting that any aggregated state resulting from an ordinary lump- 
ing is ~mrpg-equivalent to each of the original states it contains, while this is not 
necessarily the case for exact lumping and ~yrp, where ~mrp-equivalence cer- 
tainly holds only among the original states contained in an aggregated state. 
This is the fourth asymmetry between forward and reverse bisimilarity. 


Example 6. The three CTMCs of Example 3 can be viewed as underlying the 
labeled transition systems of the following three initial processes: 
<a, A1, 41> -0 + <a, A2, u2>.0 corresponding to so 


<a, A1 + A2, w>.0 corresponding to sọ 
<a,2-A,u>.0 corresponding to sg 


with: 
<at, 1, 41> -0+ <a, A2, 42> .0 corresponding to sı 
<a, \1, 1> -0 + <a', à2, 42> .0 corresponding to s2 
<at, Ay + Az, u> .0 corresponding to s’ 
<at, 2- A, u>.0 corresponding to s” 
If py = u2 Ê u but Ay Æ Az, then: 

<a, A 1, H>. 0 + <a, 2, H>. 
<at, ài, u>. 0 + <a, Aa, >. 
<a, à1, > -0 + <a}, Ao, >. 

If \y = Ag = À and py = pe Ê p, then: 
<a,A,p>.0+ <a, À, p>. 
<at, A, p> .0+ <a, À, p>. 
<a, À, u>. 0+ <at, À u>. 


~MFB <a, À1 + Ao, 4>.0 
~mFB <al,A; +A2,u>.0 
~mFB <al,Ay +A2,u>.0 


IS lo Ilo 


~MFB <a,2-A,u>.0 
<at, 2<A, u>. 
~mFB <a}, 2- À, u>. 


ISD IO |© 
? 
z 
E 
w 


0 
0) 
but: 
<a,rA,p>.0+ <a,r,u>.0 mrp <a,2-A,p>.0 
<at, A, u>.0 + <a, à, u>.0 ure <a, 2- À, u>.0 
<a, à, u>.0 + <at, à, u>.0 eure <at,2-A,u>.0 
with the only exception of the following two contained in the same aggregate: 
<at, A, u>.0 + <a, à, u>.0 ~mep <a, À, u>.0 + <a}, à, u>.0 E 


Colo 


Unlike ~pp, it holds that ~ypp is sensitive to the presence of the past, 
so that in Definition 11 it is not necessary to require initial( P1) 4> initial( P2) 
to gain compositionality with respect to alternative composition. For example: 

<i, A, >. <b,d,y>-.0 “upp <b,6,y>.0 
because the process on the left has an outgoing a-transition with rate u that 
cannot be matched by the process on the right. 

Furthermore, unlike ~FB,ps, it holds that ~mfg cannot identify processes 
with a different past. For instance: 


<al,r, u> 0 ŽMFB <bt, ô, q> -0 
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whenever a Æ b or u # 7, as in that case the outgoing a-transition on the left 
cannot be matched by the outgoing b-transition on the right. 

Similarly, unlike ~rp, we have that ~ypp is sensitive to the presence of the 
future and cannot identify processes with a different future. As an example: 

<a, À, u>.0 mrp 0 
because the process on the left has an incoming a-transition with rate u that 
cannot be matched by the process on the right. As another example: 
<a, À; p> .0 o~&MRB <b, ô, y>.0 
whenever a Æ b or u #7, as in that case the incoming a-transition on the left 
cannot be matched by the incoming b-transition on the right. 

We conclude by showing that ~wrrp coincides with ~mrsg (whilst ~mrp is 
strictly coarser) thus extending the first asymmetry between forward and reverse 
bisimilarities (see page 5). This result stems from the definition of the operational 
semantics and the consequent time reversibility of the underlying CTMCs. 


Theorem 5. Let P,, Po € Pm. Then Pi ~uprp Po iff Pi ~mrp Pz- E 


3.6 Congruence Properties and Equational Characterizations 


We start by observing that ~mrs is not totally sensitive to the past, in the same 
way aS ~mMRB is not totally sensitive to the future. For both equivalences this 
results in a compositionality violation with respect to +. As an example: 
<a,A,A>.0 ~MFRB <al, AyAS 0. 
<a, à, À> .0 + <C, k1, K2>.0 ¢mrrp <al,rA,A>.04 <c, k1, K2>.0 

because in <at, A, A>. 0+ <c, k1, K2> . 0 action c is disabled due to the presence 
of the already executed action at, while in <a, À, A> .0 + <c, k1, K2> .0 action c 
is enabled as there are no past actions preventing it from occurring. 

Note that ~yrrp would not equate the first two processes if their two rates 
were A; and Az with A; Æ Az or there were any other process in place of 0. There- 
fore, when investigating congruence with respect to alternative composition, 
we will consider the set of processes P{, = Pm \{<a,A,A>.0| a € A,r E€ Ryo}. 


Theorem 6. Let ~m € {~MFB; ~MRB} and P,, Py € Pu: 


— If Pi ~m P> then for alla € A and X, u € Ryo: 
e <a, à, u>. Pı ~m <a, À, y>. P> provided that initial(P,) A initial( P2). 
e <at, à, u>. Pı ~m <a, À, p>. Po. 
— If Pi ~m Po with Pi, P2 € Piy then for all P € Pu: 
e P, +P nm Pho +P and P +P, ~m P + Po provided that initial(P) V 
(initial( P1) A initial( P2)). E 


With regard to equational characterizations, as expected ~)pp and ~MRB 
are such that alternative composition is associative and commutative and admits 
0 as neutral element. This is formalized by axioms Ay; to Am,3 in Table 4. 

Markovian variants of axioms A4 to Ag in Table 2 are not valid for ~MFB 
because this behavioral equivalence is sensitive to the presence of the past, cannot 
identify processes with a different past, and views all the transitions as outgoing. 
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(Am,1) (Pi + P2)+ Ps = Pi + (Po + Ps) 
(Am,2) Py i Pz = Pz oF Py 

(Am,3) P+0 =P 

(Ama) [~mrp] <a, à1, u>. P + <a, à2, y>. P = <a, ài + à2, y>. P 


where initial(P) 
(Am,5) [~mrs] <a*, à1, u>. P + <a, à2,4>.Q = <al,\1 +2,u>.P 

if to_initial(P) = Q, 

where initial(Q) 


Table 4. Axioms characterizing bisimilarity over Markovian reversible processes 


Likewise, Markovian variants of axioms Ay and Ag in Table 2 are not valid 
for ~mrp because this behavioral equivalence is sensitive to the presence of 
the future, cannot identify processes with a different future, and views all the 
transitions as incoming. 

As for idempotency, Markovian variants of axioms Ag and Ajg in Table 2, 
which are formalized by axioms Ay,4 and Ay5 in Table 4, are valid only for 
~MFB as shown in Example 6. We further observe that in the considered example: 

<a’, A, p> .0+ <a, à, u>.0 “wep <a, À, u>.0+ <a, à, p>.0 
can be proved via axiom AmM,2. 


Theorem 7. Let Arp = {AM,1, ÁM, 2, AM,3; AM, 4; AM,5} and Pi, P2 E€ Phu- 


Then P, ~mrs Po iff Amres F Pi = Pz. = 
Theorem 8. Let Avrp = {Am.1, AM 2, Am. 3} and Pi,P, € Pu. Then 
Pi ~mrp Po iff Amrg F Pi = Po. o 


4 Conclusions 


In this paper, we have discovered the following asymmetries that shed light on 
forward bisimilarity, reverse bisimilarity, and forward-reverse bisimilarity: 


1. In the nondeterministic case ~prg = ~Fp over initial processes only, while 
in the Markovian case ~MFRB = ~MRB Over all reachable processes. 

2. The insensitivity to the presence of the past breaks the compositionality of 
~rp, while the insensitivity to the presence of the future does not violate 
the compositionality of ~rg. This does not happen in the Markovian case. 

3. Forward bisimilarity needs explicit idempotency axioms, while reverse bisim- 
ilarity does not, especially in the nondeterministic case. 

4. Any aggregated state resulting from an ordinary lumping is ~rp-equivalent 
to each of the original states it contains, while this is not necessarily the case 
for exact lumping and ~yrp, where ~)yRp-equivalence certainly holds only 
among the original states contained in an aggregated state. 


As future work, we plan to investigate logical characterizations of the same 
equivalences, along with what changes when admitting irreversible actions. 
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Abstract. Probabilistic bisimilarity distances measure the similarity of 
behaviour of states of a labelled Markov chain. The smaller the distance 
between two states, the more alike they behave. Their distance is zero 
if and only if they are probabilistic bisimilar. Recently, algorithms have 
been developed that can compute probabilistic bisimilarity distances for 
labelled Markov chains with thousands of states within seconds. However, 
say we compute that the distance of two states is 0.125. How does one 
explain that 0.125 captures the similarity of their behaviour? 

In this paper, we address this question by returning to the definition 
of probabilistic bisimilarity distances proposed by Desharnais, Gupta, 
Jagadeesan, and Panangaden more than two decades ago. We use a slight 
variation of their logic to construct for each pair of states a sequence of 
formulas that explains the probabilistic bisimilarity distance of the states. 
Furthermore, we present an algorithm that computes those formulas and 
we show that each formula can be computed in polynomial time. 

We also prove that our logic is minimal. That is, if we leave out any 
operator from the logic, then the resulting logic no longer provides a 
logical characterization of the probabilistic bisimilarity distances. 


1 Introduction 


The behavioural equivalence bisimilarity, due to Milner [41] and Park [44], is one 
of the cornerstones of concurrency theory. It captures which states of a labelled 
transition system, a simple yet widely used model of concurrent systems, behave 
the same. Hennessy and Milner [29] provided a logical characterization of bisim- 
ilarity by introducing a logic, known as Hennessy-Milner logic, and proving that 
states are bisimilar if and only if they satisfy the same formulas of the logic. If the 
labelled transition system has finitely many states then for two states that are 
not bisimilar there exists a formula, often referred to as a distinguishing formula, 
such that one state satisfies the formula whereas the other state does not. This 
formula explains why the two states are not bisimilar. Cleaveland [12] presented 
a polynomial time algorithm that computes a distinguishing formula for states 
that are not bisimilar. Consider the following labelled transition system. 


* Supported by the Natural Sciences and Engineering Research Council of Canada. 


© The Author(s) 2023 
O. Kupferman and P. Sobocinski (Eds.): FoSSaCS 2023, LNCS 13992, pp. 285-307, 2023. 
https: //doi.org/10.1007/978-3-031-30829-1_ 14 


286 A. Rady and F. van Breugel 
S 


The states s and ¢ are not bisimilar. This can be explained by a formula that 
expresses that a state can transition to a state that can subsequently transition 
to a purple (square) state as well as a green (hexagon) state. State s satisfies 
this formula but state t does not. 

To model randomness in systems, labelled Markov chains are often used. 
Larsen and Skou [39] introduced probabilistic bisimilarity to capture which states 
of a labelled Markov chain behave the same. They also introduced a logic that 
characterizes probabilistic bisimilarity. Desharnais, Edalat, and Panangaden [19] 
simplified that logic and presented a polynomial time algorithm that produces 
a formula that distinguishes two states which are not probabilistic bisimilar. 
Consider the following labelled Markov chain. 


1 1 5 3 


2 2 8 8 


U y 


1 1 1 1 


The states s and t are not probabilistic bisimilar. State t can transition with 
more than probability 4 to a green state that can transition to a purple state, 
whereas state s cannot. This property can be expressed in the logic, giving rise 
to a formula that distinguishes the states s and t. 

Giacalone, Jou, and Smolka [27] observed that probabilistic bisimilarity is not 
robust. Miniscule changes to the probabilities may alter which states are proba- 
bilistic bisimilar. Instead of an equivalence relation, they suggested exploiting a 
pseudometric to capture the behavioural similarity of states. That is, each pair of 
states is assigned a distance, a real number in the interval [0,1], which measures 
how similar the states behave. The smaller the distance, the more alike the states 
behave. Distance zero captures that the states are behaviourally equivalent. 

Desharnais, Gupta, Jagadeesan, and Panangaden [20] presented such a pseu- 
dometric. They showed that distance zero captures probabilistic bisimilarity. 
Therefore, those distances are known as probabilistic bisimilarity distances. These 
distances can be computed in polynomial time, as has been shown by Chen et 
al. [11]. Tang [48] developed and implemented algorithms that can compute the 
probabilistic bisimilarity distances for labelled Markov chains with thousands of 
states within seconds. The states s and t in the above labelled Markov chain 
have distance 0.125. How does one explain that 0.125 captures the similarity of 
their behaviour? That is the main question that we address in this paper. 


Explainability of Probabilistic Bisimilarity Distances 287 


To define their probabilistic bisimilarity distances, Desharnais et al. intro- 
duce a logic. The labelled Markov chains that they consider differ slightly from 
the ones we study in this paper: they label transitions whereas we label states 
(by colours/shapes), and where we require that the probabilities of the outgoing 
transitions of a state add up to one, they allow them to sum to less than one as 
well. State-labelled Markov chains have become the norm in probabilistic model 
checking. Probabilistic model checkers such as PRISM [38] and Storm [14] con- 
sider state-labelled Markov chains. Since each transition-labelled Markov chain 
can be encoded as a state-labelled one [46], this difference does not substantially 
impact any of the results. If the probabilities do not sum to one, one can add an 
additional state and transition to that state with the remaining probability. Also 
this difference does not significantly change the results. Adjusted to our setting, 
slightly simplified, and using a different syntax, the logic can be captured by the 
following grammar: 


gru=al7p|yAy|Ov|yogd 


where a is a label of a state and q is a rational in the interval [0,1]. This logic 
characterizes the probabilistic bisimilarity distances (see, for example, [20,6]). 
Roughly speaking, the distance of two states is determined by a formula of the 
logic that distinguishes them the most. Such a formula explains their proba- 
bilistic bisimilarity distance. Consider, for example, the states s and ¢ in the 
above labelled Markov chain. As we already mentioned, their distance is 0.125. 
This distance can be explained by the formula O(()A O[_]). This formula cap- 
tures the probability of reaching a green state in one transition and subsequently 
reaching a purple state after the second transition. For state s that probability 
is 0.5 and it is 0.625 for state t. Note that the © operator is similar to the next 
operator of linear temporal logic. Roughly, the interpretation of the formula O% 
in state s is the probability that y holds in the successors of s. 

As is common, we provide the above logic with a real-valued interpretation. 
For a formula of the logic, its interpretation maps each state of the labelled 
Markov chain to a real value in the interval [0,1]. For example, for the for- 
mula CO(( AOL), its interpretation in state s is denoted by [O(() A OL) I(s) 
and has the value 0.5. The value of [O(() A OL) C) is 0.625. Their difference, 
which is 0.125, is the distance of the states s and t. The distinguishing formula 
for the states s and t is fairly simple. As we will discuss next, we need all the 
operators of the logic to explain the probabilistic bisimilarity distances and a 
single formula may not suffice. 


1.1 Main Results 


As we will show, the above logic is a minimal logic that characterizes the prob- 
abilistic bisimilarity distances. That is, if we remove any operator from the logic 
then the resulting logic does not characterize the probabilistic bisimilarity dis- 
tances anymore. Furthermore, we will demonstrate that there exist finite labelled 
Markov chains for which the distances of some states cannot be explained by 
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a single formula. However, as we will prove, we can explain the probabilistic 
bisimilarity distances by means of a sequence of formulas. Given two states, say 
u and v, we will construct a sequence of formulas y®,,, plu, Y? such that 


A 
the sequence A| (u) — [vou] (v), [vr] (u) of [veo] (v), [veo] (u) _ [yeu] (v), 

. converges to the probabilistic bisimilarity distance of u and v. We will also 
present an algorithm that computes those formulas and we will show that each 
formula can be computed in polynomial time. 


1.2 Related Work 


In addition to the references to the literature mentioned above, next we will dis- 
cuss some other related work. Many of the behavioural equivalences have been 
characterized logically. For example, Feng and Zhang [25] provide a logical char- 
acterization of probabilistic bisimilarity for probabilistic automata. Bernardo 
and Miculan [4] present an algorithm that builds a distinguishing formula for 
states of a probabilistic automaton that are not probabilistic bisimilar. König, 
Mika-Michalski, and Schröder [37] propose a general method to construct a dis- 
tinguishing formula for a variety of systems, including probabilistic automata. 


Behavioural pseudometrics have been introduced for a large variety of sys- 
tems that model randomness. For example, Ferns, Panangaden, and Precup [26] 
study probabilistic bisimilarity distances for Markov decision processes, Deng, 
Chothia, Palamidessi, and Pang [15] introduce them for probabilistic automata, 
and De Alfaro, Majumdar, Raman, and Stoelinga [1] present them for games. 


Also many behavioural pseudometrics have been characterized logically. For 
example, Desharnais, Laviolette, and Tracol [23] present a logical characteri- 
zation of ¢-bisimilarity, a notion closely related to distances, for probabilistic 
automata. Du, Deng, and Gebler [24] logically characterize probabilistic bisimi- 
larity distances for probabilistic automata. Pantelic and Lawford [43] provide a 
logical characterization of a behavioural pseudometric for probabilistic discrete 
event structures. Komorida et al. [35], Konig and Mika-Michalski [36], Wild and 
Schröder [51], as well as Wiffmann, Milius, and Schröder [52], present general 
frameworks to obtain logical characterizations of behavioural pseudometrics. 


Whereas many logics for systems with randomness have a real-valued inter- 
pretation, Castiglione, Gebler, and Tini [9,10] introduce a logic for probabilistic 
automata with a boolean-valued interpretation. Their logic contains an operator 
with which we can express properties such as “a state can transition with prob- 
ability a half to a purple state and with probability a half to a green state.” It 
is this operator that allows them to define a mimicking formula of a state. As 
the name suggests, this formula mimics the behaviour of the state. Furthermore, 
they endow the formulas with a pseudometric and show that the probabilistic 
bisimilarity distance of two states is the distance of their mimicking formulas. 
Hence, the distance of two states can be explained by means of the mimicking 
formulas of those states. 
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2 Labelled Markov Chains and Probabilistic Bisimilarity 
Distances 


In this section, we introduce several key notions that play a central role in the re- 
mainder of the paper. We define the model of interest, namely a labelled Markov 
chain. Furthermore, we introduce probabilistic bisimilarity, an equivalence rela- 
tion that captures which states of a labelled Markov chain behave the same, and 
probabilistic bisimilarity distances, which measure the similarity of behaviour of 
those states. 

First, we recall some notions from probability theory. Given a finite set X, 
a function u : X — [0,1] is a probability distribution on X if X` ex u(x) = 1. 
We denote the set of probability distributions on X by Dpg(X). For u € DR(X) 
and A C X, we often write (A) for X`„e4 u(x). Similarly, for w € Dr(X x X), 
a € X, and AC X, we usually write w(a, A) for X` „ea (a,x). For u € Dr(X), 
we define the support of u by support(u) = {x € X | u(x) > 0}. A probability 
distribution u € D(X) is rational if u(x) € Q for all x € X. We denote the set 
of rational probability distributions on X by Dg(X). Obviously, Dg C Da. 


Definition 1. A labelled Markov chain is a tuple (S, L, T, 8) consisting of 


— a finite set S of states, 

— a finite set L of labels, 

— a transition probability function 7 : S + Dg(S), and 
— a labelling function £: S > L. 


We restrict the transition probabilities to rationals as we will compute with 
them in Section 6 and 7. For the remainder, we fix a labelled Markov chain 
(S, L, T, l). We define probabilistic bisimlarity by means of the set Qg (u, v) which 
is known as the transportation polytope [33] of the probability distributions pu 
and v. 


Definition 2. For all u, v E€ Dr(S), the set Qp(p,v) is defined by 
Ngluyu, v) = {w E Da(S x S)| Vs E€ S:w(s,S) = p(s) Aw(S,s) = v(s) }. 


Definition 3. A relation R C S x S is a probabilistic bisimulation if for all 
(s,t) € R, &(s) = L(t) and there exists w E€ Qp(r(s),T(t)) with support(w) C R. 
States s and t are probabilistic bisimilar, denoted s ~ t, if (s,t) € R for some 
probabilistic bisimulation R. 


To define the probabilistic bisimilarity distances, it is convenient to partition 
the set of state pairs into the following three sets. 


Definition 4. The sets SẸ, S? and SÈ are defined by 
Sé={(s,t)eSxS|s~t} 
St ={(s,t)e Sx S| Us) A L(t) } 
82 = (8 x 3) \ (S2US?) 
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The set $3 contains those state pairs that have distance zero (cf. Theorem 6). 
The set S? contains those state pairs that have a different label and, therefore, 
have distance one (cf. Definition 5). The set S? contains the remaining state 
pairs. Note that some of these state pairs may have distance one, but cannot 
have distance zero. The probabilistic bisimilarity distances are defined in terms 
of the following function. 


Definition 5. The function A: (S x S — [0,1]) > (S x S > [0,1]) is defined 
by 
0 if (s,t) € Sè 
i if (s,t) € S? 
inf Ss w(u,v) d(u,v) if (s,t) € S? 


wEQpg(T(s),7(t)) ee 


Let de Sx S — [0,1] and w € Da(S x S). Instead of J`, veg w(u, v) d(u, v) 
we write w-d in the remainder to avoid clutter. Similarly, for f € S — [0,1] and 
u E€ Dp(S) we write f - p instead of >) eg f(s) u(s). 

For d, e € S x S —> [0,1], we define d E e if for all s, t € S, d(s,t) < e(s,t). 
According to, for example, [22, Lemma 3.2], (S x S — [0,1], E) is a complete 
lattice. Since the function A is a monotone function from a complete lattice to 
itself, we can conclude from the Knaster-Tarski fixed point theorem (see, for 
example, [13, Theorem 2.35]) that A has a least fixed point. We denote this 
least fixed point by ô. This least fixed point maps each pair of states to a real 
number in the interval [0,1]: the probabilistic bisimilarity distance of the states. 
Distance zero captures probabilistic bisimilarity. 


Theorem 6 ([21, Theorem 4.10]). For all s, t € S, 6(s,t) = 0 if and only if 
swt. 


The probabilistic bisimilarity distance function 6 is the limit of the distance 
functions 6, which only consider the first n transitions when comparing the 
similarity of the behaviour of states. This result can be seen as an instance of 
the Kleene fixed point theorem [34]. 


Definition 7. For each n > 0, the function ôn : S x S — [0,1] is defined by 


fo ifn=0 
bn(s, t) = eT otherwise. 


Proposition 8. lim 6, = ô. 
noo 


3 A Logical Characterization 


Below, we present a logical characterization of the probabilistic bisimilarity dis- 
tances. We start with a logic very similar to the one introduced by Desharnais 
et al. [20]. 
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Definition 9. The logic L~ is defined by 


yzu=alOvl|-¥~|eoqleve 
wherea € L and q E€ QA [0,1]. 


The above logic is slightly different from the one presented in [20] as we 
consider Markov chains with labelled states, whereas Desharnais et al. studied 
Markov chains with labelled transitions. In particular, a and Oy were combined 
as (a)y. Since we restrict our attention to finite state systems, we can restrict 
ourselves to finite disjunctions. In our setting, the constants true and false can 
be expressed as \/,-,,@ (recall that we assume that the set L is finite as well) 
and —true, respectively. The logic of Desharnais et al. also contains the opera- 
tor [y]? which is redundant, as observed in [21, page 336]. The logic considered 
by Desharnais [18] lacks negation, but does include [p] and conjunction. The 
real-valued interpretation of the logic of Desharnais et al., which considers la- 
belled transitions, is adjusted to our setting of labelled states as follows. 


Definition 10. The function |]: £- —> S — [0,1] is defined by 
. oie 1 if &(s) = 


0 otherwise 


= ma: ade J= 0) 
axles), f(s )) 


Note that [false] and [true] are the constant zero and constant one func- 
tions, respectively. The probabilistic bisimilarity distances can be characterized 
in terms of the logic. 


Theorem 11 ([5, Theorem 40 and 44]). For all s, t € S, 


ô(s,t) = a lels) — [vy] @). 


In the remainder of this paper, we consider the following logic. This logic 
also characterizes probabilistic bisimilarity distances. As we will show later, this 
logic can explain the probabilistic bisimilarity distances more concisely than the 
logic presented above. 


Definition 12. The logic L is defined by 
gz=alOv|ypoqlyealyevel ery 
where a € L and q € QA [0,1]. 


Note that negation has been removed and conjunction has been added. Also 
the operator @q, which is dual to Gq, has been added. This logic is very similar 
to the one considered by Desharnais [18]. 
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Definition 13. The function |]: £ —> S — [0,1] of Definition 10 is modified 
by 

[y © q](s) = min{[y](s) +q, 1} 

[eA ¥](s) = min{[y](s), [Y](s)} 


As already mentioned above, also this logic characterizes the probabilistic 
bisimilarity distances. 


Theorem 14. For all s, t € S, 6(s,t) =supyec Ly] (s) — [vl] ()- 


Proof sketch. Each formula of £ can be rewritten to an equivalent formula of £~. 
For example, if y is rewritten to wv then y @ q is rewritten to —(>u © q). Each 
formula of £ has a dual: if |y] = 1 — [y] then ¢ is a dual of y. For example, if p 
is a dual of w then y © q is a dual of Yy Gq. Each formula £. can be rewritten 
to an equivalent formula of £. For example, if y is rewritten to Y then 7y is 
rewritten to a dual of Y. The result now follows from Theorem 11. 


4 All Operators are Necessary 


The logic £ is a minimal logic that characterizes the probabilistic bisimilarity 
distances. That is, if we remove any operator from the logic then the resulting 
logic does not characterizes the probabilistic bisimilarity distances anymore. Due 
to lack of space, we only consider the logic L\e, which does not have the Gq 
operator. 


Definition 15. The logic L\o is defined by 


gr=alOvplyOql evel pay 
wherea € L and q € QA [0,1]. 


Theorem 16. There exists a labelled Markov chain (S, L, T, £) and s, t € S such 
that 


6(s,t) > sup fels) — Le] @). 


pElyo 
Proof sketch. Consider the following labelled Markov chain. 


0; 
O 
1 
2 


It can be shown that ô(s, t) = z. Furthermore, we can prove that for all Y € L\e 
and q € QN [0,1], if [y] (u) < $ — $ then [y] (v) < ł — 4 by structural induction 
on y. Using this result and Theorem 14, we can also show that for all y € Lyo, 


[y](s) — lelt) < ea by structural induction on g. 
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5 Explainability 


In general, the probabilistic bisimilarity distance of two states cannot be ex- 
plained by a single formula, as we will show next. That is, generally there does 
not exist a distinguishing formula for every pair of states of a labelled Markov 
chain. But, as we will prove below, for every pair of states there exists a sequence 
of formulas that explains their distance. 


Theorem 17. There exists a labelled Markov chain (S,L,7,£) and s, t E€ S such 
that for all p € L, 6(s,t) > [y](s) — [¢]@. 


Proof sketch. Consider the following labelled Markov chain. 


o: 8 8 


1 1 


1 
2 


It can be shown that ô(s,t) = 1. We can also prove that for al y € £, 
[y](s) — [vy] (t) < 1 by structural induction on g. 


As we will show next, for every pair of states (s,t) there exists a sequence of 
formulas (€;)n such that ô(s, t) = limno [En] (s) — [En] (t). This sequence (£n)n 
explains the distance 0(s, t). 


Proposition 18. For all s, t € S there exists (€n)n such that 
4(3,t) = lim [éo](s) — [én 


Proof sketch. This can be concluded from Theorem 14 and the following. Let 
X be a nonempty subset of R that is bounded above. Then there exists a se- 
quence (£n)n in X that converges to sup X [8, page 4]. 


The proof of the above proposition is not constructive. Below, we will con- 
struct a sequence of formulas (y?,), that explains the distance of the states s 
and t. In particular, y% is constructed so that 


[v2] (s) = ôn(s,t) and [py] (t) = 0 


and, hence, [y%](s)— [v2] () = on(s,t). That is, the formula vy”, explains the 
distance ôn (s, t). 
If n = 0 then ôn (s, t) = 0. We choose the formula false since 


[false] (s) = 0 = 60(s,t) and [false] (t) = 0. 


Let n >0. For (s, t) € S, also 6,,(s,t) = 0. Again we choose the formula false to 
explain the distance. For (s,t) € $7, we have that 6,(s,t) = 1. In this case the 
formula (s) explains 6,,(s,t) since ¢(s) 4 (t) and, therefore, 


[4(s)](s) = 1 = dn(s,t) and [¢(s)](¢) = 0. 
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To construct a formula that explains distance ô„(s,t) for (s,t) € 82, we rely 
on the following result about distances and nonexpansive functions. A function 
f € S > [0,1] is nonexpansive if for all s, t € S, |f(s) — f(t)| < ôn(s, t). The 
set of nonexpansive functions is denoted by (S, ôn) —> [0,1]. This set forms a 
convex polytope and is known as the Lipschitz polytope. We denote its vertices 
by V((S,n) (0, 1). 


Proposition 19. For all (s,t) € S? and n > 0, there exists f% € (S, ôn) —> 
(QA [0,1]) such that 6,41(s,t) = f% - (7(s) — T(t)). 


Proof sketch. Let (s,t) € S? and n > 0. Then 


dn+1(S, t) = W + On. 


inf 

wE Qp(T(s),7(t)) 
We can view 6n41(s,t) as the minimal cost of a transportation problem, where 
T(s)(u) represents the amount transported from the origin u, 7(t)(v) captures 
the amount received at the destination v, 6,(u, v) represents the transportation 
cost from u to v, and each w captures a transportation plan, that is, w(u,v) is 
the amount transported from u to v (see, for example, [40, page 15]). 

From the Kantorovich-Rubinstein duality theorem [31] we can conclude that 


inf On = sup f -(r(s) — 7(t)). 


n W = 
wENRr(T(s),T(t)) fE(S\5n)-¥ [0,1] 


In this dual to the above transportation problem, each f represents a price 
function (see, for example, [40, page 81]). Since a linear function on a convex 
polytope attains its maximum at a vertex (see, for example, [49, Theorem 2 of 
Chapter 1]), we can conclude that 


sup f- (r(s) — ()) 


= max 
fE(S,ôn)— [0,1] FEV ((S,ôn)—>[0,1]) 


f- (r(s) = T(¢)). 


Since we can prove that V((S, ôn) = [0,1]) C (S, n) = (QA [0, 1]), there exists 
n € (S, ôn) = (QN [0, 1]) such that 6,41(s,t) = f% - (T(s)— T(t)). 


The function f” plays a key role in the formula explaining ôn (s, t). However, 
fz, is not necessarily unique. Consider the following labelled Markov chain. 


IF 
N 

N 
N 


U 
1 


For this example, the sequence (ôn)n converges in three steps, that is, ô = 63. 


We have that 52(u,v) = 5 and 63(s,t) = 4. So we need the function f3, to 
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satisfy J3(s,t) = f2(u) — f2(v) and | f2(u) — f2,(0)| < 4. For each 0< q < } 

2 (u) = 4 +q and f? (v) = q satisfies these properties. As we will see, any 
that satisfies these properties can be used to construct y?,. How to compute 
these functions f% is the topic of the next section. 

As we will show in Theorem 22, we can construct a formula Y% that captures 
the function f”, that is, [Y3] = f%. More about this soon. By means of y% t 
we can explain the distance ôn (s, t) by the formula (Ow? +) © (F27 -T(t)) since 
we have that 


[ovr ) © (fa TE] (s) = maxi (lsi TT) — Fa" rE), OF 
=max{(fg "+ T(s)) — (fae + T(t), OF 


= max{ fa - (7(s) — r(t)), O} 
= max{dn(s,t), 0} 


= On(s,t) 


and, similarly, we can deduce that 


[ours O (fa TO] () = maxf fir" (E) — 7), 0} = 0. 


Let us return to the formula Y%, that captures the function f?;. To construct 
we, we use the following result. 


Lemma 20 ([2, Lemma A7.2]). Let f € S — [0,1]. If for all u, v € S, there 
exists Guy E S — [0,1] such that guy(u) = f(u) and guy(v) = f(v), then 


min race = Tor min 
f= ues ves Jua ES ves Juis 


To apply the above lemma, we need to construct for all u, v € S a formula 
Wey Such that 


Mitul (u )= selu) and irul (v) z st(V). 


The details are provided in Definition 21 and Theorem 22. From Lemma 20 we 
can then conclude that 


[A V vane] = [V A viel = 1 
ues ves ueS ves 
The above can be summarized as follows. 
Definition 21. For all s, t € S, 
ye, = false 
and 


1 _ J false if (s,t) € S$ US? 
Yat = | &(s) if (8,t) € S? 
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A. Rady and F. van Breugel 


false 
E(s) 
(OY ') © cea i 


For all (s,t) € S? andn>1, 


— 
Pst Z 


Mm 
st 


N V tw 


uES vES 


For all (s,t) € S, u, v E€ S, andn>1, 


false @ f% (u) if falu) = faw) 
Pstuv = $ (Pav O (fn (u, v) — (Falu) — ft (v))) © faw) if falu) > falo) 
(Pou © (fn (u, v) — (Fw) — fai(u))) © fa(u) otherwise. 


Note that, for (s, t) € 92 and n > 2, the formula y”, contains | S|? subformulas 
of the form ọ?7 1. As a consequence, the size of y”, grows exponentially in n. 
As we will see in Section 7, we can compute vy”, in polynomial time by sharing 
subformulas. 

The above definition shows some similarities with the sequence of formulas 
introduced in [43, Definition 8]. Their setting is different: the transitions are la- 
belled (as in [20]), the transition function is deterministic, and the labelling of 
the transitions is probabilistic. Their logic is simpler than the one introduced in 
[20] since the systems they consider are simpler. The sequence of formulas that 
they introduce is syntactically simpler than the one we define above. Their for- 
mulas are only used to prove a logical characterization, although those formulas 
can also be used for explainability. 

Consider the states s and t of the following labelled Markov chain. 


1 1 5 3 
2 2 8 8 
1 1 1 1 
y 0 
1 1 1 1 
By definition, y}, = false and vy}, = false. For y2, we get 
ten times 
(C(((false ® 0) v (false $ 0) v --- v (false @ 0))A 
((false © 0) v (false $ 0) V--- V (false $ 0))A 
: ten times 
((false @ 0) v (false $ 0) v --- v (false $ 0)))) 


0 
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This formula can be simplified to false. In the logic of Desharnais et al., which 
lacks A and &, one would need 111 additional =, making it less concise. 

The formula y3, fills more than a page, but can be simplified to the formula 
(O(YAOQD)) © 0.375. Although generally there does not exist a distinguish- 
ing formula for each pair of states (Theorem 17), in this case the formula y?, 
explains the distance of states s and t, since (s, t) = 0.125, [y3] (s) = 0.125 
and | y?,] (t) = 0. The formula captures the probability of reaching a green state 
in one transition and subsequently reaching another green state. 

The formula y}, can be simplified to (O(O A OD)) © 0.5. Since we have 
that [y2.] = 0.125 and [+2] (s) = 0, the formula y?, explains the distance 
d(t,s) =0. A The formula r the probability of reaching a green state 
in one transition and subsequently reaching a purple state. 

The outermost test can be removed from the explanation. Hence, the formulas 
O(OAOO) and O(()A OL) explain the distance of states s and t as well. 


Theorem 22. 
(a) For all s, t € S andn > 0, [p%](s) = ôn(s,t) and [v2 ](t) = 
(b) For all (s,t) € SÈ andn > 1, [Y2] = f3. 
(c) For all (s,t) € 57, u, v € S, and n > 1, Wus] (u) = f2 (u) and 
[srul (v) = fs). 
Proof sketch. This theorem can be proved by induction on n. Most steps of the 
proof have already been discussed above. To prove (c), let (s,t) € 92, u, v € S 


and n > 1. We need to distinguish three cases. Here we only consider the case 
that f3% (u) > f7} (v). Then 


[Yoru] (u) = [piv © (nlu, v) — (Falu) — fa) ® fawl) 
min{max{[pus] (u) — (On(u, v) — (Fstlu) — falv) ) OF + fstlv), 1} 
= min{max{ðn (u, v) — (ôn (u, v) — (falu) — fa(v))), OF + fa), 1} 
[induction hypothesis of (a)] 
= min{max{f5,(u) — f5:(v)), 0} + filv), 1} 
min{ (falu) — f(r) + fal) 1 alu) > falo) 
min{ f(u), 1} 
= fælu) 
Wstusl O) = [pis © (Gn(u,v) — (Falu) — fsle)))) © fso) 
= min{max{[¢7,](v) — On(u, v) — (Falu) — fa) OF + fole) 1} 
= min{max{0— (ðn (u, v) — (fi (u) — f(r), 0} + falv), 1} 
[induction hypothesis of (a)] 
= min{0 + f(v), 1} 
[fm (u) — fhv) < nlu, v) since f}, is nonexpansive] 


= falv) 
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Combining Proposition 8 and Theorem 22, we obtain the following explain- 
ability result. 


Corollary 23. For all s, t € S, limp-yoo [¢2 ](s) — leI E) = (s, t). 


6 Computing f% 


Proposition 19 states that the functions f7, exist. Below, we will show that these 
functions can be computed in polynomial time. 

Let (s,t) € S. The function f°, € S —> (QN [0,1]) is defined as the con- 
stant zero function satisfies 81 (s, t) = f9, - (T(s)— T(t)) and can be computed in 
polynomial time. To prove that the remaining functions f%, with n > 1, can be 
computed in polynomial time as well, we use the primal network simplex algo- 
rithm to solve minimum-cost flow problems due to Orlin [42] and the ellipsoid 
method to solve linear programming problems due to Khachiyan [32]. As we will 
show below, f7, can be computed as FINDVERTEX(dn, 7(s), T(t)). 


FINDVERTEX(d, p, v) 
input: d E Sx S — (QN [0,1]) with d(s,s) = 0 for all s€ S, u,v € Do(S) 


output : arg max f- (u-v) 
fE(S,d)—>(QN[0,1]) 
du = inf w-d 
we Qp (u,v) 


fuv = vertex of {fe (S,d)—> [0,1] | f- (u-v) = duw} 


return fw 


In line 4 we use Orlin’s primal network simplex algorithm to compute the 
minimum cost for the following network (N, E). The nodes of the network consist 
of two copies of each u € S, denoted uo and u1. The supply of node up is y(u) 
and the demand of node uy is v(u). Each edge (uo, v1) has cost d(u, v). 


ulu) —Co} z (11) 


v(u) 


Each w € Rg(u, v) corresponds to a feasible flow, where w(u, v) captures the 
flow from up to v1. The constraints w(u, S) = u(u) and w(S, u) = v(u), defining 
Nr(u, v), capture that the supply of uo flows from up and the demand of u, flows 
to u1. For a feasible flow w, its cost is w-d. Hence, d y captures the minimum 
cost. 

Note that, by definition, the supplies and demands are rational. We can prove 
that d,,, = w-d for some w E€ Qg(p,V). Since d is rational as well, we can conclude 
that dy, is also rational. Orlin’s primal network simplex algorithm can compute 
the minimum cost and, hence, can be used to compute d, v. Orlin’s algorithm 
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is strongly polynomial: O(|N|?|E|? log |N]). Since there are 2|S| nodes and |S? 
edges, dy can be computed in O(|S|® log |S|). 

In line 5 we use Khachiyan’s ellipsoid method to find a feasible solution of a 
linear programming problem with the variables zs, for s € S, and the constraints 


YVs,t E S :£s — 2; < d(s,t) 
VsE€S:245,>0 
VsE€S:a4, <1 


does (u(s) — ¥(8)) = dun 


ses 


By means of the ellipsoid method we can find a vertex of the convex polytope 
defined by the above constraints. This method is polynomial in the size of the 
constraints, in this case, the size of d, u, v, and dyp. 


Let n > 1 and (s,t) € 97. Since we can show that 6, is rational and 
on(s,s) = 0 for all s € S, we can apply FINDVERTEX to ôn, T(s) and 7(t). In 
this case, line 4 computes infec @(r(s),r(t)) W ` On, Which equals bn+1(s,t). As a 
consequence, FINDVERTEX(6,,,7(s), T(t)) returns f3 : (Sdn) (QN[0, 1]) such 
that f% -(7(s) — T(t)) = bn4i(s, t). 

As we already observed above, line 4 can be computed in polynomial time in 
the size of the labelled Markov chain and line 5 can be computed in polynomial 
time in the size of ôn, T(s), T(t), and dn41(s,t), which we can show to be polyno- 
mial time in the size of the labelled Markov chain and n. Hence, the running time 
of FINDVERTEX(ôn, T(S), T(t)) is polynomial in the size of the labelled Markov 
chain and n. 


7 The Algorithm 


Given a labelled Markov chain (S,L,7,¢) and N € N, we can explain the dis- 
tances 6(s, t) for s, t € S by computing the formulas y% for 0 < n < N. To obtain 
this sequence of formulas, we implement Definition 21 as follows. Below, for s, t, 
u € S, we use the array cells distance[s][t], function|[s][¢][u], and formula[s][t][n] 
to represent the distance 6,—1(s,t), the function value f%~'(u), and the for- 
mula ~”,, respectively. In line 5-17, we compute do, f°, v2, and y},. The loop 
of line 20-50, first computes the distances ôn (line 21-27), then determines the 
function f” (line 30), and finally computes formulas y% (line 31-49). 


1 EXPLAINDISTANCES(r, l, N): 
2 input : T E S > Do(S), LES >L, N>1 
3 output : (y%)N_o for all s,t € S 


300 


4 
5 
6 
T 
8 
9 


10 
11 
12 
13 
14 


15 
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~ = DECIDEPROBABILISTICBISIMILARITY (r, £) for s E€ S and t € S$ 
formula|s][é][0] = false 
distance |[s][¢] = 0 
if svt 
for 1<n <N 
formula|s][¢][N] = false 
else if (s) 4 L(t) 
for 1<n <N 
formula|s|[¢][N] = (s) 
else 
formula|s]{¢][1] = false 
for we S 
function[s][¢][u] = 0 


n=1 
while n < N 
for s€ Sandte S 


if (s) 4 L(t) 


distance|s][t] = 1 
if s tA &(s) = L(t) 
distance |[s][¢] = 0 

for u € S 


distance | s][¢] += functionj|s]|t][u] x (T(s)(u) — T(t)(u)) 
for s € Sandte S$ 
if s tA &(s) = L(t) 
function |s] |t] = FINDVERTEX(distance, T(s), T(t)) 
disjunction = false 
for u € S 
conjunction = true 
for ve S 
if function[s]|t][u] = function[s][t][v] 
subformula = false © function|[s][é][u] 
else 
minussShift = distance[u]|v] — |function[s]|t][u] — function|s]|[¢][v]| 
plusShift = min {function|s][é][u], function[s]|t][v]} 
if function[s][é][u] > function[s][¢][v] 
subformula = (formula[w][v][n] © minusShift) @ plusShift 
else 
subformula = (formula[v][u][n] © minusShift) $ plusShift 
disjunction V= subformula 
conjunction A= disjunction 
shift = 0; 
for we S 
shift += function|s][é][u] * 7(t)(u) 
formula|s][¢][n + 1] = (O disjunction) © shift 
n=n+1 


Let us first discuss the correctness of the above algorithm. In line 4, ~ is 


computed by deciding probabilistic bisimilarity. The loop spanning line 20-50 
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has the following invariant. 


Vs,t € S : distance[s][t] = ôn—1 (s, t) (1) 
V(s,t) € S2 : Yu € S : function[s][¢][u] = f4 (u) (2) 
Ys, t € S: YO <i <n : formulafs] [t] [i] = y$ (3) 


Let us check that the above loop invariant holds when we reach line 21 for 
the first time. In line 7 we set distance to zero. Hence, (1) is satisfied when we 
reach line 21. In line 17 we set function to zero. Hence, (2) is also satisfied when 
we reach line 21. In line 6, 10, 13, and 15 we set formula such that (3) is satisfied 
when we reach line 21. 

Next, we check that the loop maintains the above invariant, that is, if the 
invariant holds at line 21 then it also holds at line 50. Assume that the invariant 
holds at line 21. From (2) and line 22-27 we can conclude that 


0 if (s,t) € Sê 
distance[s][t] = 4 1 if (s,t) € S? 
n=l, (r(s) — T(t)) otherwise 


once we arrive at line 28. Hence, from Proposition 19 we can conclude that 
distance[s][t] = ôn (s, t) for all s, t € S. Therefore, (1) holds at line 50. 

Since distance = 6, at line 30 and, as we have seen in Section 6, 
FINDVERTEX (ôn, T(S), T(t)) returns f7, we assign f}, to functionj|s][|t] in line 30. 
Hence, (2) holds at line 50. We can also verify that line 31-49 ensure that (3) is 
maintained by the loop. 

Finally, we will argue that the running time of the above algorithm is poly- 
nomial in the size of the labelled Markov chain and N. Probabilistic bisimilarity 
can be decided in polynomial time as was first shown by Baier [3]. More effi- 
cient algorithms have been proposed by Buchholz [7], Derisavi, Hermanns, and 
Sanders [17] and Valmari and Franceschinis [50]. Hence, line 4 is polynomial 
time. 

Each line of 6-17 can be implemented in constant time. Since each line of this 
part is executed at most N|S|° times, the running time of line 5-17 is polynomial 
in the size of the labelled Markov chain and N. 

The loop consisting of line 20-50 is executed N — 1 times. As we already 
discussed in Section 6, the running time of FINDVERTEX(d,,7(s),7(t)) is poly- 
nomial in the size of the labelled Markov chain and n. When we arrive at line 30, 
distance equals ô» and, hence, this line is polynomial in the size of the labelled 
Markov chain and n. All other lines of the loop can be implemented in constant 
time. Each line is executed at most |S|* times. Therefore, the running time of 
line 20-50 is polynomial in the size of the labelled Markov chain and N. 


8 Conclusion 


In this paper, we study a minor variation of the logic introduced by Desharnais 
et al. in [20]. In particular, we show that 
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1. the logic is a minimal one that characterizes the probabilistic bisimilarity 
distances, 

2. in general, there does not exist a distinguishing formula yst for states s and 
t such that [yse](s) — [vse] (t) = 8(s, t), 

3. there exists a sequence (y”,), of formulas that explains distance 6(s,t) as 
limno [yee] (s) — lys) = 4(s, t), and 

4. each formula y?, can be computed in polynomial time. 


As pointed out by Hillerstrém in [30], an early paper on computing distin- 
guishing formulas, to explain why states are not bisimilar “arguments must be 
concise in the sense that an argument must not contain redundant or irrelevant 
information.” This applies to our setting as well. The distinguishing formulas 
introduced in Definition 21 are in many cases far from concise. We leave the 
simplification of these formulas for future research. 

One may wonder whether adding fixed points to the logic, in the form vari- 
ables X and either operators uX and vX or equations of the form X = y, would 
allow us to explain the probabilistic bisimilarity distance of two states by means 
of a single formula. A logic similar to the one studied in this paper that contains 
fixed points has been studied by De Alfaro et al. [1]. Whether simply adding 
fixed points to the logic suffices is not immediately clear as the Gp, and qn in 
the formula Yğyst vary as n varies. Extending the logic so that the probabilistic 
bisimilarity distance of two states can be explained by means of a single formula 
is another potential topic for future research. 

Graf and Sifakis [28] introduce the notion of a characteristic formula for a 
state s: a state satisfies this formula if and only if it is behaviourally equivalent 
to s. Characteristic formulas have been developed for probabilistic bisimilarity. 
For example, Deng and van Glabbeek [16] present characteristic formulas for 
probabilistic automata. Sack and Zhang [47] introduce a general framework to 
construct characteristic formulas for probabilistic automata. In the setting of 
probabilistic bisimilarity distances, a characteristic formula for a state s of a 
labelled Markov chain can be formalized in the following ways. The formula ys 
is a characteristic formula for the state s if 


for all states t, [vs] (s) — [ys] (t) = 5(s, t) (4) 


or 
for all states t, [ys] (t) = ô(s, t). (5) 
It can be shown that (4) and (5) are equivalent: if there exists a formula that 
satisfies (4) then there also exists a (different) formula that satisfies (5). Whether 
such a formula or a sequence of such formulas exists for the logic studied in this 
paper is an open question that may be tackled in future research. 
A preliminary implementation of the algorithm in Java is available [45]. Im- 
proving the code is another avenue for further research. 
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Abstract. In the open map approach to bisimilarity, the paths and their 
runs in a given state-based system are the first-class citizens, and bisimi- 
larity becomes a derived notion. While open maps were successfully used 
to model bisimilarity in non-deterministic systems, the approach fails to 
describe quantitative system equivalences such as probabilistic bisimi- 
larity. In the present work, we see that this is indeed impossible and we 
thus generalize the notion of open maps to also accommodate weighted 
and probabilistic bisimilarity. Also, extending the notions of strong path 
and path bisimulations into this new framework, we show that branching 
bisimilarity can be captured by this extended theory and that it can be 
viewed as the history preserving restriction of weak bisimilarity. 


Keywords: Open maps - Weighted Bisimilarity - Probabilistic Bisimi- 
larity - Branching Bisimilarity - Weak Bisimilarity 


1 Introduction 


The theory of open maps is a categorical framework to reason about systems 
and their bisimilarities [16]. Given a category of systems and a description of 
the shape of the executions and how to extend them, open maps are morphisms 
with lifting properties with respect to those extensions. Intuitively, open maps 
are morphisms which preserve and reflect transitions of systems, that is, they are 
morphisms whose graphs are bisimulations. The theory covers various classical 
notions of bisimilarity. For example, two LTSs are strongly bisimilar if and only 
if there is a span of open maps between them. Varying the category of models 
and the execution shapes allows describing weak bisimilarity, timed bisimilarity, 
probabilistic Larsen and Skou bisimilarity, and history-preserving bisimilarity of 
event structures (see [16,3,12] for examples). 

Another categorical framework for bisimilarity is coalgebra [22]. This time, 
given a category and an endofunctor describing respectively the type of state 
spaces and the type of transitions, a ‘system’ is understood as a coalgebra for this 
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functor. Coalgebra homomorphisms are then very similar to open maps in spirit: 
they also are morphisms that preserve and reflect transitions. This intuition has 
been made formal by transformations between the categorical frameworks in 
both ways; from open maps to coalgebra [19], and conversely [25]. However, the 
latter suggests that open maps are only adapted to modeling non-deterministic 
systems and would struggle with other types of branchings, such as probabilistic. 

In coalgebra, there are no particular difficulties in modeling weighted systems, 
and by extension, discrete probabilistic systems [17]. There is also some work for 
continuous probabilities, although the theory is much more complicated [5,4]. 
As we will explain more precisely later, there have been some attempts to do so 
with open maps in [3,5], but the result is somewhat disappointing. 

Conversely, coalgebra is not adapted to bisimilarities for systems where tran- 
sitions are not history-preserving, that is, for which the behavioral equivalence 
does not just depend on the transitions at a given state, but on the whole history 
of the execution that led to this state. That is the case for example for branching 
bisimilarity [23]. Branching bisimilarity arose precisely to make weak bisimilarity 
history-preserving. In [3], weak bisimilarity has been described using open maps 
by carefully choosing the underlying category, with a general theory developed 
in [9] using presheaf models. Branching bisimilarity has also been studied using 
open maps in [1,2], but indirectly, through a translation into presheaves. 

To resume, the goal of this paper is to capture weighted and branching bisim- 
ilarities using a generalization of open maps. Concretely, the contributions are: 


1. a proof that it is impossible to appropriately model probabilistic system 
using standard open maps (Section 3.2), 

2. a faithful extension of the theory of open maps and (strong) path bisimula- 
tions (Section 4), 

3. a generalized open map situation capturing weighted and probabilistic bisim- 
ilarities (Section 5), 

4. ageneralized open map situation where strong path bisimulations correspond 
to stuttering branching bisimulations, open map bisimilarity to branching 
bisimilarity, and path bisimulations to weak bisimulations (Section 6). 


Full proofs can be found in the appendix: http: //arxiv.org/abs/2301.07004 


2 From Path Categories to Bisimilarity 


Before discussing weighted bisimilarity, let us first recall the main ideas of mod- 
eling bisimilarity via open maps, as introduced by Joyal et al. [16]. The definition 
is parametric in a functor J: P —> M, from a category P of paths to a category 
M of models or systems of interest. In the prime example, M is the category of 
labelled transition systems LTS as defined next: 


Definition 2.1. For a fixed set A of labels, the category LTS contains: 


1. Objects: a labelled transition system (X, —>, xo) is a set X of states, a tran- 
sition relation + C X x Ax X and a distinguished initial state xo € X. We 
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write x > x’ to denote that (x,a,x') € > and simply refer to the LTS as X 
if > and xo are clear from the context. For disambiguation, we use — for 
morphisms and — for transitions. 

2. Morphisms: a functional simulation f: (X, —>, zo) > (Y,—, yo) is a func- 
tion f: X — Y with f(xo) = yo and for all x “> x' in X, we have 
f(a) > f(z’). 

A functional simulation f: X — Y intuitively means that the system Y has 
at least the transitions of X, but possibly more. A special case of a functional 
simulation is the run of a word in a system: 


Definition 2.2. For the label set A, let (A*,<) be the partially ordered set of 
words, ordered by the prefix ordering. The functor J: (A*,<) > LTS sends a 
word w € A* to the LTS Jw = ({v | v < w}, —>,£) of all prefixes of w with 
v > va for allae A, va < w. 


This functor J (or more precisely, its image) is often called path category of LTS: 
the possible runs of a word w € A* in (X, —, zo) correspond precisely to the 
functional simulations Jw > (X,—,2o) in LTS. 

On the abstract level, for a general functor J: P — M, we understand the 
set of morphisms r: Jw — X for w e P and X e M as the runs of the path w in 
the model X. We can already make the trivial observation that all morphisms 
f: X — Y in M preserve runs: given a run r: Jw > X of some path w e P in 
X, there is a run f-r: Jw-Y ofwinY. 

The converse does not hold for a general f: X — Y in M: given a run of w 
in Y, there is not necessarily a run of w in X. If f reflects runs, it is called open: 


Definition 2.3. For a functor J: P — M, a morphism f: X — Y in M is 
called open if f satisfies the following lifting property for all e: v > w in P: 


Jv —r—> X Ju—=t> X 
for all Te 0) F there is d: Jw > X with A O P F 
4 v Yr D 
Jw —s—> Y Jw —s—> Y 


That is, for all commutative squares (s - Je = f - r), there is d: Jw > X in M 
that makes both triangles on the right commute (f -d = s and d- Je = r). 

By construction, we can only make statements about states that are reachable 
via some run. Thus, one often restricts M beforehand to contain only models in 
which all states are reachable from the initial state. 

For LTSs in which all states are reachable from the initial state, open maps 
are related to strong bisimulations [20]: open maps are precisely functions whose 
graph relation {(x, fx) | x e X} is a strong bisimulation. Reformulated in the 
context of allegories [10], open maps are precisely the maps in the allegory of 
relations that are strong bisimulations. It is then natural to recover bisimulations 
as tabulations of open maps, that is: 


Definition 2.4. For a functor J: P — M, we say that two models X and Y are 
J-bisimilar, if there exist another model Z and two J-open maps f: Z —> X and 
g: Z — Y, that is, if there is a span of J-open maps between them. 
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Of course, J-bisimilarity is a reflexive (identities are open maps) and sym- 
metric (by permuting f and g in the definition) relation on models, but it is not 
transitive in general. It is when the category M has pullbacks [16]. 

Given a functor J: P — M, there are more classical ways of defining bisim- 
ilarities given in [16]. The first one is (strong) path bisimulations, which are re- 
lations on runs (similar to history-preserving bisimulations) satisfying the usual 
bisimilarity conditions. The second one is by using a modal logic similar to the 
Hennessy-Milner theorem. In the case of LTSs with strong bisimilarity, all those 
notions describe the same notion of bisimilarity, but that is not true for general 
J:P— M: it can only be proved that J-bisimilarity implies the existence of 
a (strong) path bisimulation, which itself implies that the two models satisfy 
the same formulas of the modal logic. In [6], some mild sufficient conditions in 
terms of trees (i.e., colimits of paths in M) are given for those three notions to 
coincide. In particular, all the examples of bisimilarities covered by open maps 
cited earlier satisfy these conditions. 

We use coalgebra for uniform statements about state-based systems of dif- 
ferent branching type (including non-deterministic and probabilistic branching): 


Definition 2.5. For an object 1 of a category C and an ele acl F: = >C, 
a pointed coalgebra is a pair of morphisms of C of the form 1—> X Æ, FX. 


For example, LTSs can be modeled as pointed coalgebras with C = Set, 1 
any singleton, and F = P(A x __), where P is the power set functor. The usual 
notion of morphisms of coalgebras can be spelt out as follows: 


Definition 2.6. A (proper) homomorphism of Ps Kes FX 


pointed coalgebras from (X,&,i) to (Y,¢,7) is a S z I D i 
morphism f: X — Y ofC such that the diagram v v 
on the right commutes. n” Y —¢> FY 


Pointed coalgebras and proper homomorphisms always form a category, but 
in the case of LTSs as described above, this category is not equivalent to the 
category LTS. Indeed, proper homomorphisms are not just morphisms that pre- 
serve transitions, but similarly to open maps, they also reflect them. In [25], the 
authors proved that for a large class of endofunctors, whose coalgebras basically 
are non-deterministic, proper homomorphisms precisely correspond to J-open 
maps for a certain functor J. To model morphisms that are only required to 
preserve transitions, homomorphisms have to be made lax as follows (see [25]): 


Definition 2.7. Assume a relation © on ev- 

ery Hom-set C(X, FY). A lax homomorphism of 1—i> Fae FX 
pointed coalgebras from (X,£,i) to (Y,¢,7) is a \ 5 L n oh 
morphism f: X — Y ofC such that the diagram j v sf 
on the right lazly commutes, that is, f-i = j and “3 Y =¢> FY 


Ff-€CC-f inC(X, FY). 


In the case of the functor P(A x __), we can consider the pointwise inclu- 
sion on every Hom-set Set(X, P(A x Y)). With this, pointed coalgebras and lax 
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homomorphisms form a category which is isomorphic to the category LTS. How- 
ever, it is not true in general that they form a category, as a compatibility of = 
with the composition is needed as follows: 


Definition 2.8. A partial order on F is a collection of partial orders E, one 
for each Hom-set of the form C(X, FY) such that 


WX fis fe FY, ee Vy: fiGfe = Fh-fi-gGFh: fo-g. 


This is equivalent to the requirement that the Hom-functor C(_,F'_) factors 
through partially ordered sets: C(_, F_): CP x C — Pos. 


Remark 2.9. The present definition subsumes the definition of order on a Set- 
functor established by Hughes and Jacobs [11, Def 2.1] (details in the appendix). 


Lemma 2.10 [25]. When E is a partial order on F, pointed coalgebras and lax 
homomorphisms form a category, which we denote by LCoalg(1, F). 


Much as with open maps, many flavors of bisimilarity can be recovered using 
spans of proper homomorphisms: 


Definition 2.11. We say that two pointed coalgebras are coalgebraically bisim- 
ilar if there is a span of proper homomorphisms between them. 


There are many ways of defining bisimilarities in coalgebra (see [13] for an 
overview), but they coincide for the purpose of the present paper. 


3 Weighted Bisimilarity and Open Maps 


In this section, we describe known attempts to model weighted systems, and 
particularly probabilistic ones, using open maps. They all work with some vari- 
ations of the (discrete) distribution functor on Set. We will denote this functor, 
which maps a set X to the set 


DX = {f: X — [0,1] | f> ((0, 1]) is finite and X} f(x) = 1}, 


rEX 


by D and the variation where the condition = 1 is replaced by < 1 by De, 
(i.e. Dey X := D(X + 1)). We will prove that, even though Larsen-Skou bisimu- 
lations for reactive systems can be modeled with open maps, that is impossible 
for bisimulations for generative systems. 


3.1 Larsen-Skou Bisimilarity Using Open Maps 


In [3], Cheng et al. describe an open map situation for Probabilistic Transition 
Systems (PTSs), which corresponds to coalgebras for the functor (D(_) + 1)4. 
In this setting, they consider Partial PTSs (PPTS) which are coalgebras for 
(DZ, (_) + 1)4 where the sub-probability distributions can have values in hyper- 
reals, allowing infinitesimals £. The category of PTSs embeds in that of PPTSs, 
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and the path category is the full subcategory of PPTSs consisting of finite linear 
systems whose probabilities of transitions are infinitesimals. It is then proved 
that J-bisimilarity, restricted to PTSs, for this path category corresponds to 
Larsen-Skou’s probabilistic bisimilarity [18]. 

This open map situation has been reformulated in [7] in terms of coreflections: 
the obvious functor from PPTSs to TSs is a coreflection whose left-adjoint maps 
a LTS T to the PPTS whose underlying LTS is T and where all transitions have 
infinitesimal probabilities. In general, given a coreflection F : C — D with left- 
adjoint G and a path category J on D, one automatically has the path category 
GoJ on C, and this construction preserves good properties of J. In particular, 
one has that two systems A and B are (Go J)-bisimilar if and only if FA and 
FB are J-bisimilar. Cheng et al.’s path category is obtained in this manner with 
the coreflection above and the standard path category on LTSs. In particular, 
it means that two PPTSs are bisimilar if and only if their underlying TSs are 
strongly bisimilar. 


3.2 Impossibility Result for Generative Systems 


In [5], Desharnais et al. describe several bisimilarities for generative probabilistic 
systems, that is, coalgebras for the functor D<ı(A x _), in a coalgebraic way. 
They pointed out that their efforts to model those bisimilarities using open maps 
failed [5, p. 188]. In the following, we see that it is in fact not possible. We will 
show that for generative probabilistic systems modeled by the category M := 
LCoalg(1,D<1(A x _)), there is no open map characterization of the coalgebraic 
bisimilarity. Actually, the argument here is valid for many other types of weights 
and is not limited to reals. 

Here, for two functions f,g: X > Dei(Y), f E g means that for all x € X, 
for all ye Y, f(x)(y) < g(x)(y), where < is the usual ordering on [0, 1]. 

In this situation: 


Theorem 3.1. For M := LCoalg(1,D<i(A x _)) there is no category P and no 
functor J: P > M such that for every h: X — Y with reachable X the following 
equivalence holds: 


h is J-open <= > h is a proper homomorphism 
and there is no P and no functor J such that for every X and Y: 
X and Y are J-bisimilar <— > X andY are coalgebraically bisimilar. 


Proof (Sketch). By contradiction, assume that there is such a J. We prove that 
there is a proper homomorphism of the form: 
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which cannot be J-open. Consider first the unique lax homomorphism Om > Y 
where Om consists in one state and no transition. This is not a proper homomor- 
phism, so it is not open by assumption. That is there is a square: 


JP —p Om 
J$ hy 
v v 
JQ —1> Y 


with no lifting. It is mechanical to check that JP ~ Om and JQ has at least one 
transition from its initial state to another state r —=> z with w 4 0. With 
n=2- [4], the proper homomorphism h above is not open: there cannot be a 
morphism from JQ to X because w > L, 


4 Generalized Open Maps 


The main argument of the proof of impossibility is the fact that sometimes, a 
transition with some probability w in the codomain comes from probabilities 
W1,..., Wn with X; wi = w in the domain, which makes a lifting morphism 
impossible with the current framework of open maps. 

In this section, we will extend the open map framework with the main in- 
tuition that the lifting morphism splits the probability w into smaller parts 
W1,..., Wn. After defining these generalized open maps, we show some basic 
properties of the bisimilarity generated by them. 


4.1 Generalized Open Maps Situation 


Here, we describe our extension of the open maps framework. The data is similar: 
we start with a category of models M, but we need more than just a functor 
J: P — M. Assume: 


— a set V together with a function J: V > ob(M), 
— two small categories E and S whose sets of objects are V, 
— two functors Jg: E — M and Js: S — M coinciding with J on objects. 


The classical open maps situation J: P — M fits in this extension as follows. 
The category E is given by P with the intention that they model path shapes 
and their extensions. The functor Jg is given by J. The category S is given by 
the discrete category |P|, that is, the category whose objects are those of P and 
whose morphisms are only identities. The functor Js is the only possible one 
respecting the conditions of the definition above. 

In the general context of this extension, the interpretation is a bit different. 
Now V is meant to be a set of trees labelled by alphabets and weights. E still 
consists in extensions, extending trees into trees with longer branches. S then 
consists in merging morphisms, similar to the description above: for the example 
of weighted systems, those morphisms are allowed to merge states into one, 
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as long as they sum up the weights of the in-going branches. Generally, those 
morphisms are allowed to perform some merges that are harmless for bisimilarity. 
With this data, we can define generalized open maps: 


Definition 4.1. A morphism f: X > Y inM is called (E,S)-open if it satisfies 
the following lifting property for alle: v>w in E 


Jv z——>» X 

Ju —2> X “eel O | 

for all ee 0 f there is Je © Ju í f 
is —y5 ý | Iss i) | 

Jw i y — Y 


The interpretation starts the same as in usual open maps. Assume that we have 
a tree y in Y extending the image by f of the tree x in X. If f is open, there 
should be a tree x’ extending x and whose image by f is y. However, x’ may have 
a different shape than y, since it might be necessary to split transitions. That is 
what u and s are modeling: w is obtained from u by merging some states. 

The connection with the classical open maps can be formulated as follows 


Proposition 4.2. Given a functor J: P — M and a morphism f: X >Y, 
f is J-open if and only if f is (P,|P|)-open. 
Again, bisimilarity can be defined as the existence of a span of open maps 


Definition 4.3. We say that X and Y are (E,S)-bisimilar if there is a span of 
(E,S)-open maps between them. 


4.2 Basic Properties 


In this section, we will prove general properties of (E,S)-bisimilarity similar to 
the classical case. First, we show that if M has pullbacks, then (E, S)-bisimilarity 
is an equivalence relation. Secondly, we describe two notions of path bisimula- 
tions, both implied by (E,S)-bisimilarity. Finally, we prove that it is enough to 
check openness on some generators of E. 


In order to see when (E, S)-bisimilarity is an equiva- 
lence relation, we need to check symmetry, reflexiv- Jy 
ity, and transitivity. Symmetry always holds because 
we can always swap the legs of the span. For reflex- 


ivity, it is enough to prove that identities are open Jee O Jw id 
which is valid because S is a category and Js is a | Js ree oO | 
functor, as shown in the diagram on the right. The a 

proof of transitivity relies on composition and pull- Jw “—>Y 


backs: 


Lemma 4.4. (E,S)-open maps are closed under composition and pullbacks. 


Theorem 4.5. IfM has pullbacks, then (E,S)-bisimilarity is a transitive rela- 
tion, and thus is an equivalence relation. 
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Generalized Path Bisimulations. In the classical open map setup [16], an- 
other notion of bisimilarity can be defined by using path extensions directly: 
so-called strong path and path bisimulations, which can be generalized as fol- 
lows. Like originally [16], we assume that there is an element 0 € V, such that JO 
is an initial object of M (note that 0 is not required to be initial in E or S). The 
intuition is that the unique morphism !x: JO — X points to the initial state of 
X. For example, JO can be given by (1,id,;, L) in a category of pointed coalge- 
bras if 1 is the final object of C and if C(1, F1) has the least element L: 1 > F1 
(those conditions hold in the cases of interest). 


Definition 4.6. A path simulation from A to B in M is a set R of spans of the 
form A Jv +; B (forve V) satisfying the following two properties 


— initial condition: the span A aA sB belongs to R. 
— forward closure: for all spans A “— Jv 2p Jus Jss------- Ju 

in R, alle: v > w e E and alla’: Jw —> Ae 
M such that a = a’: Jge, there are e': v > u € i 
3, s:u > w ES, and b: Ju > B e M such $ O Ww OÙ if 


that Jge = Jss - Jge', b = b' - Jge', and the span | e RN i 
Ane fj B belongs to R. A a B 


We say that R is a strong path simulation if it additionally satisfies the following: 


— backward closure: for all spans A“ Jv 2, B Jem Jw -re> Ju 


in R and alle: w > v € E, we have that the span | i 
a: Jge b- Jge J v 
A< Jw > B belongs to R. A ER D 


We say that R is a (strong) path bisimulation from A to B if R and Rt = 
{B < 2? Jv A | A Jv 2, Be R} are (strong) path simulations. 


Remark that this version of (strong) path bisimulations has the same type as 
the one by Joyal et al. [16], but satisfies more general conditions. In particular, 
when S is a discrete category, the formulation above is exactly the one from [16]. 
Obviously, a strong path bisimulation is a path bisimulation. 

The main result of this section is the following. 


Theorem 4.7. Assume two models A and B in M. If there is a span A e 
C — B where g is a morphism of M and f is an (E,S)-open map, then the 
following set is a strong path simulation: 


Rpg :={A— Jv ?, Bide: Jv > C witha=f+-candb=g-c} 


Jv 
or 
<<, C OS 


Consequently, if A and B are (E,S)-bisimilar, then there is strong path bisimu- 
lation between them. 
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As in the classical case of [16], there is no reason for the converse to be 
true in general: there might be a strong path bisimulation between two models, 
but no span of generalized open maps. However, conditions from [6] could be 
accommodated to describe a general framework in which the converse holds. 
Since this is not the main focus of this paper, we will not do it here, but will 
show a particular case in Section 6. 


Generators of the Category of Extensions. In the first example of open 
maps for LTSs introduced in Section 2, the path category was described as the 
poset of words with the prefix order. Consequently, to prove that a functional 
simulation is J-open, we have to prove the lifting property of Definition 4.1 with 
respect to all pairs w < w’. However, it is sufficient to check the lifting property 
for extensions by one letter: w’ = w.a for some a € A. The general reason is that, 
as a category, (A*, <) is generated by the morphisms w < w.a, and verifying the 
lifting property with respect to generators of the category P is enough to obtain 
J-openness. This can be extended to generalized open maps, with additional 
care. 


Proposition 4.8. Assume a subgraph E’ of E that generates E, that is, every 
morphism of E is a finite composition of morphisms of E'. Assume additionally, 
that for every e € E’ and s € S for which Jge- Jss is well-defined, there are s € S 
and e' € E such that Jge - Jgs = Jgs' + Jge'. 

In that case, if a ma of M satisfies the lifting property of Definition 4.1 
for all morphisms in E', then it is (E,S)-open. Also, if a set of spans satisfies 
the conditions of Definition 4.6, where E is replaced by E’, then it is a (strong) 
path bisimulation. 


The first condition is satisfied when E is a free category and E’ is its class of 
generators. The second condition is satisfied for e.g. E = P and S = |P]. 


5 Open Maps for Weighted Systems 


In this section, we will prove that weighted systems can be captured by this 
generalized open map theory for a large variety of weights, including those needed 
to capture probabilistic systems. 

5.1 Category of Coalgebras for Weighted Systems 


In this section, we will consider weighted functors as follows. 


Definition 5.1. Given a commutative monoid (K,+,e), the K-weighted functor 
(K,+, e): Set — Set is defined as follows on sets and maps: 


sets: X => (K,+,e) yO = = {u: X > K | (K \{e}) is finite} 
maps: f: X +Y +> (K,+,e)"(u) = (ye Y > X {u(ax) | ze X, f(x) = y}) 
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An element u of (K,+,e)) is a finite distributions sending each x € X to a 
weight in K. Whenever a map f: X — Y identifies elements f(x1) = f(x2) = 
+++, then the functor action turns u into a distribution on Y by adding up the 
weights (x1) + w(a2) +--+ as elements of X are sent to the same element in Y. 
Since p is finite and K is commutative, this addition is well-defined. 

Given a commutative monoid (K,+,e) and an alphabet A, we want to con- 
sider weighted systems as coalgebras for the functor (K, +, aa As described 
in Section 2, we want to be able to talk about lax homomorphisms, so we need 
an order on (K, +e as in Definition 2.8. For that, we need to assume 
an ordered commutative monoid (K,+,e,©), that is, a monoid (K,+,e) with a 
partial order © such that + is monotone in both its arguments. 


Lemma 5.2. Given an ordered commutative monoid (K, +,e, =), then for all 
sets X and Y, the relation on the hom-set Set(X, (K, +, e)n) defined by 


fi = fo < Yre X, Vy E€ Y, Va € A, fi(x)(a, y) = fo(x)(a, y) 


is an order on (K, "a 


[ana of pointed coalgebras and 


So, we have a category LCoalg (1, (K,+,e) 
lax homomorphisms. The goal of this section is to design a generalized open maps 
situation for which (E, S)-bisimilarity characterizes coalgebraic bisimilarity and 
more precisely for which (E, S)-openness characterizes proper homomorphisms. 

In the course of the constructions and proofs, we will need additional as- 
sumptions that we list here. 


Definition 5.3. We call an ordered commutative monoid (K, +,e,=) a rear- 
rangement monoid if it satisfies the additional requirement that if n,m > 1 and 


n 
Sa 
t=1 


m 


> Yi 


j=1 


then there exists a family (uij) <i<n,1<j<m Such that 


m 


for all j, > uij = yj; and for alli, X Ui j = Ti. 


i=1 j=1 


In addition, we say that a rearrangement monoid is strict if the condition above 
holds also when replacing E with =. 


The intuition is as follows. We have some weights arranged as £1,..., £n. We 
want to be able to decompose those weights into smaller weights, the u; js, and 
by rearranging those small weights obtaining weights smaller than the y;. This 
condition states that this is possible when there is enough weight in total. The 
special case of strictness is called the row-column property in [17]. 
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Lemma 5.4. For any subgroup G of the real numbers (R",+,—,0) such that 
for all x, y in G (min(a1, y1),..-,min(an,Yn)) E€ G, the monoids (G, +,0, <) 
and (Gso,+,0,<), where < is the usual order on R”, are strict rearrangement 
monoids. 

For any lattice with bottom element (L,<,u,n,1), (L,u,1,<) is a rear- 
rangement monoid if and only if (L,<,uU,m) is distributive. Furthermore, in 
that case, it is always strict. 


Another property is a form of positivity: we say that an ordered monoid is 
positively ordered if e is the bottom element for &, that is, for all ke K, e E k. 


Example 5.5. The positive real line (Ri,+,0,<) is a positively ordered strict 
rearrangement monoid and it is necessary to define probabilistic systems. An- 
other example is the monoid of natural numbers (N, +,0,<), which defines the 
bag functor. Finally, any distributive lattice with bottom element (L, u, L, <), 
typically powerset lattices (P(X), U, Ø, S), is too. On the contrary, (R,+,0,<) 
and (Z, +,0, <) are strict rearrangement monoids but are not positively ordered. 
Conversely (N31, x, 1, <) is positively ordered but not a rearrangement monoid. 
Indeed, it is impossible to rearrange the inequality 2 x 5 < 3 x 4. 


5.2 Generalized Open Maps Situation for Weighted Systems 


Let (K, +,e, =) be a commutative ordered monoid. Elements of Vx are 


— either words on A x (K\fe}), w = (a1, k1),..-, (Gn, kn), 
— or triples (w1,b, w2) of a word wı on A x (K\fe}), a letter b € A, anda 
non-empty word wz on (K\fe}). 


The function Jg maps 


— a word w = (a1, k1), .-- , (an, kn) to the system 
Te = lee (a1,k1) 1 (a2,k2) (ans kn) ñ 


that is, to the coalgebra Jw: {0,...,n} > K(x {0-1} such that if b = aj41 
and j = i + 1 then Jw(i)(b, j) = ki+1, else = e. 
— a triple (w1,b, w2) with wy = (a1, kı), ..., (an, kn) and we = l,...,lm is 
mapped to the system 
b n) (n + I; 1) 
(arki) (a2,k2)—— (anskn) _ © f 
J(w1, 0, w2) = >0———> 1 —— >: : :——>n 


mT” (n + 1,m) 


that is, J(w1,b, w2)(n)(n + 1,i) = (b, l;). 


The category Ex is defined as follows. For every w1, b, and w2, there is a 
unique edge e from w; to (wi, b, w2). The functor then maps this edge e to Jge, 
the obvious injection. 

The category Sx has two types of morphisms: 
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Fig. 1. Example of a lifting of a path extension in R+-weighted systems and for a 
singleton label alphabet |A| = 1, thus omitting action labels. 


— identities on words wy, 
— morphisms from (w1, b, w4) to (w1,b, w2), with w5 = Ui,...,U,, and m < 
m’, which are given by surjective monotone functions s: {1,...,m’} > 


{1,...,m} such that for all i < m, l; = Dls) Ui. 


The functor Js then maps s of the second type to the proper homomorphism 
Jss which maps i to i and (n+ 1,7) to (n+ 1, s(J)). 

As a piece of notation, for a morphism g: Jw, —> X, with w of length n we 
denote x(n) € X by end(a). We then say that a state p of X is reachable if there 
is a morphism of type x: Jw, > X with end(x) = p. By extension, we say that 
X is reachable if all its states are reachable. 


5.3 Equivalence between Open Maps and Proper Homomorphisms 


An example of an (E,S)-open map h is provided in Figure 1, together with a path 
extension that is lifted. Like it is often the case in the non-deterministic systems, 
the lifting map d is not unique. Hence, only existence (and no uniqueness) is 
required in the lifting property. Since h is a proper homomorphism, it provides 
a lifting for all extensions, as we show in general: 


Theorem 5.6. Assume a lax homomorphism f: X — Y. If f is (Ex,S«)-open, 
X is reachable, and K is positively ordered, then f is a proper homomorphism. 
Conversely, if f is a proper homomorphism and K is a rearrangement monoid, 
then f is (Ex,Sx)-open. In particular, if K is a positively ordered rearrangement 
monoid, two weighted systems X and Y are (Ex,SxK)-bisimilar if and only if they 
are coalgebraically bisimilar. 


For an endofunctor on Set, to prove that coalgebraic bisimilarity is an equiv- 
alence relation it is enough to show that the functor preserves weak-pullbacks. 
In the case of the weighted functor, this is given by strictness (see also [17]): 
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Corollary 5.7. If K is a positively ordered strict rearrangement monoid, then 
(Ex,Sx)-bisimilarity is an equivalence relation. 


5.4 About Sub-distribution Functor 


Until now, we have not dealt with probabilistic systems, that is, coalgebras 
for the sub-distribution functor D<,. Those coalgebras are particular cases of 
coalgebras for the weighted functor X +> (R+, fy We want to show in this 
section that it is equivalent to consider coalgebras for X ~~ Dg<i(A x X) as 
coalgebras for X > Ri, es, in the sense that, two coalgebras for the 
former are bisimilar if and only if they are bisimilar when seen as coalgebras for 
the latter. The main ingredient is the following remark. 


Lemma 5.8. Assume a pointed coalgebra 1 a oe Dei(Ax X) and assume 
given a lax (resp. proper) homomorphism f from 1 a (er? 
to 1 > X = Da (A x X) eR, HO. Then Y SS Da(A x Y) and 
f is a lax (resp. proper) homomorphism from 1 iyi D<ı(A x Y) to 
1+ XDA X), 


Remark that this property is not true for the proper distribution functor D. 
This suggests that we can define a generalized open maps situation Ep,Sp for 
coalgebras for the functor X +> D<ı(A x X) by considering Er, +); S(R},+) as 
defined in Section 5.2, and restricting it to those v such that Jv is a coalgebra 
for X > D<ı(A x X). 


Corollary 5.9. A lax homomorphism from 1 > Y =, Dei (Ax Y) to 1 — 
X + De;(Ax X) is (Ep, Sp)-open if and only if it is ( (Ry ,+)) S(Ry,+)) “Open. 
Furthermore, two D<ı(A x -)-coalgebras are (Ep,Sp)-bisimilar if and only if 
they are (Err, +), Sr, ,+))-bistmilar. 


Finally, the main result of this section: 


Theorem 5.10. Let f: X > Y be a lax homomorphism between D<ı(A x _)- 
coalgebras (X,c,i) and (Y,d, j). If (X,c,7) is reachable and f is (Ep,Sp)-open, 
then f is a proper homomorphism. Conversely, if f is a proper homomorphism, 
then it is (Ep,Sp)-open. Moreover, two D<i(A x __)-coalgebras (X,c,i) and 
(Y,d, j) are (Ep,Sp)-bisimilar if and only if they are coalgebraically bisimilar. 


6 Open Maps for Branching Bisimilarity 


In this section, we present a new way of modeling branching and weak bisim- 
ulations using our generalized framework of open maps. Using this additional 
flexibility, we do not need to rely on weak morphisms anymore, but on a slight 
modification of the morphism described in Definition 2.1. Concretely, we build a 
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generalized open map situation such that stuttering branching bisimulations co- 
incide with strong path bisimulations, and that in this case, they precisely char- 
acterize (E,S)-bisimilarity. In addition, in this framework, path bisimulations 
precisely correspond to weak bisimulations, witnessing branching bisimilarity as 
the history-preserving analogue to weak bisimilarity. 


6.1 LTSs with Internal Moves, Category and Bisimilarities 


Definition 6.1. For a fixed set A of labels with a particular element T (called 
internal move), the category WLTS contains the same objects as LTS, and its 
morphisms f: (X,—,20) > (Y,—,yo) are functions f: X — Y such that 
f(zo) = yo and for all x > a! in X, we have f(x) “> f(a’), ora = 7 and 
f(x) = F(x’). 

LTS is a (non-full) subcategory of WLTS, and in fact the LTS-morphisms 
will be used later in the paper. For easier distinction, we use the terminology 
strong morphisms for WLTS-morphisms that are also in LTS (alluding to strong 
bisimulations which were the bisimulation notion in LTS). Another notion of 
morphisms are so-called weak morphisms [3]: 

— if x => v' in X, then f(z) —* —> —* f(r) in Y, 

— if r >a’ in X, then f(x) —>* f(x')inY. 
Though we do not use weak morphisms in the following development of the 
paper, it is worth mentioning the WLTS-morphisms form a proper subclass of 
the weak morphisms. 


Definition 6.2. A branching bisimulation from (X, >x, ix) to (Y, —>y,iy) is 
a relation RE X xY such that (ix,iy) € R, and for (x,y) € R: 
— if x£ —> x' then 
e a=7 and (x',y) € R, or 
e y > y > ... > yn > z —> ... ——> zm such that (2, Yn), 
(x', z1), and (x’, 2m) € R. 
— symmetrically when y —> y'. 
If furthermore in the second condition (x, yi), (x', zi) € R for alli (and symmet- 
rically in the third condition), then R is said to be stuttering. 


It is known from [23] that the largest branching bisimulation is stuttering, 
so that both notions generate the same bisimilarity. In the following, we will 
prove that strong path bisimulations are more naturally related to stuttering 
branching bisimulations thanks to their backward closure. 


Definition 6.3. A weak bisimulation from (X, —>x,ix) to (Y,—>y,iy) is a 
relation RC X x Y such that (ix,iy) € R, and for (x,y) € R: 
— if x£ +>’, then there is y' such that (x',y')€ R and y +* y', 
— ifr ——> x' witha #7, then there is y' such that (x',y') € R and y ——>* +> 
T >* y’. 
— symmetrically when y +> y' or y > y'. 


It is clear that a (stuttering) branching bisimulation is a weak bisimulation. 
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6.2 Generalized Open Maps for Branching Bisimulations 


In this section, we describe the generalized open maps situation that captures 
branching bisimulation. Like for plain LTSs (Def. 2.2), elements of V will be 
words on A, representing a finite linear LTS labelled by this word. However, 
to emphasize the particularity of the internal move 7, we will provide another 
presentation here. 

Here, V is the set of sequences of the form: v = n1,a1,N2,...,%k, Gk; Nk+1 
such that a; € A\{r} and n; € N, e.g. rrarber = 2,a,1,b,0,c,1. The natural 
numbers n; € N = {7}* represent the number of internal moves between two 
observable moves. Then, J maps this sequence to the usual linear LTS: 


Jv =|>(0,1) (0, 2) 


ee (0,k+1) 
S wa va a 
py py : wT 
(n1, 1) (n2, 2) a (ne4i,k +1) 
Elements of E append at most one observable (i.e. non-T) move: 
— Only internal moves: for sequences v = N1, Q1,..-, Qk, Nk}ı and w = 
11, 41,...,4%,N,,, With Nk+1 < nj,,1 there is a unique edge e+: v > w in 
2, e.g. e7: 2,a,1,b,0,c,1 — 2,a,1,b,0,¢,3 
— One observable move: for sequences v = 71,@1,..-,@%,N441 and w = 
11,41, +++, Ak, Nyy 1,4, Nk+2 With nk+1 < Nnpy1 there is a unique edge ea: v > 
w in E. 


The graph morphism Jg: E — M maps those edges to the obvious inclusion, 
mapping state (i, j) of Jv to the same state in Jw. 

Strictly speaking, E is not a category, but just a graph, because we have 
a & ab and ab £ abc, but there is no morphism from a to abc. To fit in 
the framework of Section 4, we take the free category Free(E) generated by 
this graph and the unique functor extending the graph homomorphism Jg. By 
Proposition 4.8, it is equivalent to consider Free(E) and E for openness and path 
bisimulations, so we will talk of (E,S)-openness, when we mean (Free(E), S)- 
openness, and all the statements and proofs will be done using E only. 

Elements of S are trickier to describe. The intuition is that they are mor- 
phisms that merge states. In the context of LTSs with internal moves, merging 
happens when the source and the target of a 7T-transition are mapped to the 
same state. This is crucial for the open maps we want to describe: to lift one 
7-transition, it might be necessary to use several T-transitions. With this knowl- 
edge, elements of S are as follows. 


— Merging internal moves: morphisms in S from v = nj, @1,...,@k,NK+1 to 
W = N1, a1,- -Ak N11 With n; > nj, are (k + 1)-tuples s = (51,..., Sk+1) of 
monotone surjective functions s;: {0 < 1 <... < nmi} > {0< 1<... < ni}. 


For example, there are two morphisms from atrb = 0, a, 2,b,0 to arb = 0,a, 1, b, 0, 
one for each T that can be dropped. The functor Js then maps s to the morphism 
from Jv to Jw defined by Js(s) (7,7) = (s;(%), j). 
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As a piece of notation, for a morphism x: J(n1,a1,...,@%,en41) > X, we 
denote z(nk+1, k + 1) € X by end(z). 


6.3 Equivalence of Bisimilarities 


In this section, we prove that (E,S)-bisimilarity indeed coincides with branching 
bisimilarity. To do so, we prove first that for the present instance of E and S 
(Sec. 6.2), (E,S)-bisimilarity coincides with strong path bisimilarity. In general, 
(E,S)-bisimilarity implies strong path bisimilarity (Theorem 4.7), so it remains 
to show the converse direction for the present instance. To this end, we start by 
internalizing strong path bisimulations into objects of LTS/WLTS, in order to 
relate it them to open maps: 


Definition 6.4. For a strong path bisimulation R from X to Y, define the LTS 


~ 


R = (R, >pr,(X JO Y)) to have transitions 


(X€ Jo bY) p(X © Jw Y) 


— fora + T with v = (Nn1,@1,...,@k,Nk+1), W = (No, Q1,..., ak, Nk+1,4,0), 
vw = x : Jgea, andy’ = y- Inea (for the unique ea: v > w); 

— fora = T with v = (n1, @1,..., ük; Nk}1);, W = (M41, 41,---, An, Nk41 + 1), 
x' = qx : Jger, andy = y - Jger (for the unique er: v > w). 


As a first observation, we describe runs in R in terms of projection maps: 


Lemma 6.5. In WLTS, we have projection maps X “* R => Y given by 
mx: (X & Jv S Y) end(x) and ry: (X & Jv 4 Y) & end(y). For every 
strong morphism r: Ju > R (i.e. r e LTS), 


end(r) is of the form (X == Ju = Y). 


Remark that in this statement, we require r to be strong and not just a mor- 
phism of WLTS. With a morphism of WLTS, the statement would become that 
there is s: v’ — v E S such that ty -r = x- Jgs instead. For the characterization 
of open maps in WLTS, it suffices for our needs to restrict to strong morphisms: 


Lemma 6.6. For f: X > Y in WLTS to be (E,S)-open, it is sufficient to verify 
the lifting in Definition 4.1 in the special case of x being a strong morphism. 


We use this simplification to prove that the projection maps mx, my are open: 


Proposition 6.7. For a strong path bisimulation R from X to Y, the projec- 
tions X == R 5 Y are both (E,S)-open. 


The next step is to prove the equivalence between strong path and stuttering 
branching bisimulations. 
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Table 1. Equivalences of bisimilarity notions in LTSs with r-actions X, Y € WLTS 


branching bisimilarity <> strong path bisimilarity (Theorem 6.8) 
<=> (E,S)-bisimilarity (Proposition 6.7 & Theorem 4.7) 


weak bisimilarity <=> path bisimilarity (Theorem 6.9) 


Theorem 6.8. If R is a stuttering branching bisimulation from X to Y, then 


R={X & WAY |v = (ni, a1,...,n¢41) A Vi, j. (x(4, 9), yi, j)) € R} 
is a strong path bisimulation. Conversely, if R is a strong path bisimulation, then 
R = {(end(x), end(y)) | (X = Ju SY) € R} 
is a stuttering branching bisimulation. 


The same reasoning can be made for weak and path bisimulations: 


Theorem 6.9. If R is a weak bisimulation from X to Y, then 
R= {X 4 WY | (end(x), end(y)) € R} 


is a path bisimulation. If R is a path bisimulation, then Ř is a weak bisimulation. 


In total, we can describe branching and weak bisimilarity by categorical 
bisimilarity notions, as summarized in Table 1. 


7 Conclusions and Future Work 


In this paper, we investigate bisimilarities of weighted and probabilistic systems 
through the theory of open maps. After showing that the usual theory cannot 
capture weights, we provide a faithful extension of the theory by the notion of 
mergings. The new theory has similar properties (equivalence relation, charac- 
terization as sets of spans, restriction to generators) as classical open maps but 
also captures bisimilarity of weighted systems and even branching bisimilarity. 

The new instances come at the cost of more parameters to the theory. It 
remains for future work whether the parameters E, S can be combined in a 
single path category with two morphism classes and morphism factorizations. It 
would also be illuminating to know whether this new theory satisfies the axioms 
of a class of open maps from [15], in particular for toposes of coalgebras [14]. 

For the framework as presented, we would like to formally relate it to coalge- 
bra — as this has been done for non-deterministic systems [19,25]. Furthermore, 
we would like to investigate how system semantics of true concurrency, such 
as Higher Dimensional Automata [21] can be integrated. Designing open maps 
for them turned out to be complicated (see [8]), but a hope would be that the 
addition of mergings would allow modeling homotopy more naturally. 

Finally, it would be interesting to see whether our theory capture quantitative 
extensions of systems classically modeled by open maps, such as probabilistic and 
quantum extensions of petri nets and event structures (see [24] for example). 
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Abstract. In the theory of coalgebras, distributive laws give a general 
perspective on determinisation and other automata constructions. This 
perspective has recently been extended to include so-called weak distribu- 
tive laws, covering several constructions on state-based systems that are 
not captured by regular distributive laws, such as the construction of a 
belief-state transformer from a probabilistic automaton, and ultrafilter 
extensions of Kripke frames. 

In this paper we first observe that weak distributive laws give rise to the 
more general notion of what we call an invertible step: a pair of natural 
transformations that allows to move coalgebras along an adjunction. Our 
main result is that part of the construction induced by an invertible 
step preserves and reflects bisimilarity. This covers results that have 
previously been shown by hand for the instances of ultrafilter extensions 
and belief-state transformers. 


Keywords: Coalgebra - Bisimulations - Weak distributive laws 


1 Introduction 


Distributive laws between a monad T and a functor B are ubiquitous in the 
theory of coalgebras. They capture various forms of interaction between algebras 
and coalgebras, including structural operational semantics [45,33], efficient proof 
techniques [9] and a general coalgebraic determinisation procedure which applies 
to a wide range of automata and other state-based systems [43,15,29]. 

The central idea of this general determinisation procedure is to interpret 
coalgebras in the Eilenberg-Moore category EM(T), as coalgebras for a lifting of 
B that arises from the distributive law. Behavioural equivalence in EM(T) then 
amounts to desired notions of equivalence. For instance: language equivalence of 
non-deterministic automata; weighted automata |7]; Mealy and Moore machines 
with side-effects [43]; or various types of trace equivalence of transition systems [8]. 

An illustrative non-example of this general determinisation procedure is in 
a natural construction of belief-state transformers from probabilistic automata, 
which feature both non-determinism and probabilities. From a categorical per- 
spective, the problem is related to the classical result that there is no suitable 
distributive law of the probability distribution monad D over the powerset monad 
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P |46] (also see [47,34] for other non-existence results of distributive laws). Hence, 
general determinisation via distributive laws seems not applicable here. 

Nevertheless, in [12] a concrete coalgebraic account of the construction of 
belief-state transformers is given, in terms of a two-stage process: 


1. from probabilistic automata to coalgebras in EM(D), which are a type of 
labelled transition systems over convex algebras; 

2. from these coalgebras in EM(D) back to plain transition systems in Set, 
yielding the belief-state transformer. 


A key result in op. cit. is that the second stage preserves and reflects behavioural 
equivalence. This shows that behavioural equivalence of coalgebras in EM(D) 
coincides with distribution bisimilarity on the belief-state transformer. 

In [12,21] it was shown that this construction, in fact, arises from a canonical 
weak distributive law of D over P [22]. Weak distributive laws correspond to 
so-called weak liftings [19], and—as shown in [22]—these yield a new gener- 
alised determinisation procedure which covers the above example, and precisely 
instantiates to the two stages above. Further examples are the treatment of 
alternating automata via weak distributive laws in [23], and weak distributive 
laws for combining non-determinism with semimodules in [10]. 

However, the result for probabilistic automata that the second stage above 
preserves and reflects behavioural equivalence has not yet been accounted for in 
the abstract theory of determinisation via weak distributive laws. 

In this paper we provide such an account, starting from a more general setting 
than weak distributive laws: what we call invertible steps. These basically replace 
the Eilenberg-Moore adjunction inherent in the weak liftings approach by a 
general adjunction. In this context, a step allows one to lift the left adjoint to 
coalgebras—this is a widely occurring phenomenon, for instance in the semantics 
of coalgebraic modal logic, testing semantics and trace semantics (see [41] for an 
overview). The key idea here is to assume a right inverse, allowing the lifting of 
the right adjoint, such that we generalise the two-stage construction above. 

We show that, in this setting of an invertible step, the second stage of the 
two-stage construction preserves and reflects bisimilarity, under mild conditions. 
As a consequence, we recover the above-mentioned results on preservation and 
reflection of behavioural equivalence for probabilistic automata [12] for free from 
the abstract theory.? Another motivating example is that of coalgebras for the 
Vietoris functor on the category of Stone spaces: we obtain that bisimilarity is 
preserved and reflected by the forgetful functor, recovering the main result in [5]. 

In fact, the latter example is related to a coalgebraic presentation [36] of 
ultrafilter extensions, a standard construction in modal logic [6]. It fits within the 
general setting of invertible steps, but not directly in weak liftings, as it involves 
the category of Stone spaces (for the duality with Boolean algebras). However, 
if we move from Stone spaces to compact Hausdorff spaces, then the relevant 
weak lifting (or invertible step) arises precisely from the weak distributive law 


3 We focus on bisimilarity, but our setting allows for an easy argument that this 
coincides with behavioural equivalence in this and many related examples. 
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constructed by Garner [19]. The weak distributive law in loc. cit. thus gives rise 
to ultrafilter extensions in modal logic. 

Finally, we include an example of an invertible step involving Set”? instead 
of an Eilenberg-Moore category. Steps for adjunctions with opposite categories 
are a standard way of presenting the semantics of coalgebraic modal logic [40,32]. 
The included example shows the generality of the approach. 


Outline. Section 2 presents (invertible) steps, the relation to weak liftings and 
distributive laws, and a range of examples. In Section 3 we recall the standard 
notion of coalgebraic bisimilarity, defined via relation lifting. Section 4 contains 
the main results on preservation and reflection of bisimilarity. In Section 5 we 
discuss applications and instances of these results. We discuss other notions of 
bisimulation, and future work, in Section 6. 


2 Forward and Backward Steps 


We briefly present the required theory of steps, first termed as such in [41]. This 
structure occurs already in work on coalgebraic modal logic [35,14,40,32,17,38] 
where a step gives the one-step semantics of a logic. In existing work, only what 
we call a forward step is considered. Here, we also speak of backward steps, being 
arrows in the opposite direction. In the sequel, such forward and backward steps 
will usually be each other’s (one-sided) inverses, referred to as invertible steps. 

Next, we recall how such steps give rise to liftings of functors between 
categories of coalgebras and further, when the adjunction underlying the steps 
can also be lifted to coalgebras [27]. Finally, we present examples of invertible 
steps from the literature, which we return to in later sections. 

For a functor B: C —> C, a coalgebra is a pair (X, f) consisting of an object X 
and an arrow f: X — BX. A homomorphism from (X, f) to (Y,g) is an arrow 
h: X + Y such that go h = Bho f. Coalgebras and homomorphisms between 
them form a category, denoted by Coalg(B), or Coalge(B) if we wish to make 
the underlying category explicit. 

The category of sets and functions is denoted by Set. For a monad T, we 
write EM(T) for the category of Eilenberg-Moore algebras. The powerset monad 
is denoted by P: Set — Set, given on objects by P(X) = {S | S C X}, and 
the finitely-supported distribution monad by D: Set — Set, given by D(X) = 
{y: X > [0,1] | rex (x) = 1, supp(y) finite} (see also [12]). 


2.1 Invertible Steps 
The basic setting of interest in this work consists of the following: 


Definition 2.1. Given an adjunction P 1 Q: D — C and endofunctors B: C > 
C and L: D > D as in the diagram 


P 
aldi Dis (1) 
Q 
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a (forward) step is a natural transformation 6: BQ —> QL. A backward step is 
simply a natural transformation 1: QL + BQ going the other way. If, moreover, 
ĝo. = id then we call 6 an invertible step (with right inverse t). Finally, if 6 
witnesses an isomorphism then we call it an isomorphic step. 


Notice the asymmetry in the definition of invertible step: v is always assumed 
to be a right inverse of 6. These invertible steps are the main focus of this paper. 
Examples are given below in Section 2.2. 


Step-induced liftings There is a bijective correspondence between a step 


and its mate ô: PB > LP given by PB 72", PBQP £2"; PQLP ££" LP 
(see [37,31]). This mate and the backward step allow us to define liftings of P 
and Q to the categories of coalgebras for B and L. 


Definition 2.2. Given steps 6: BQ > QL andi: QL > BQ, the step-induced 
coalgebra liftings P: Coalg(B) > Coalg(L) and Q: Coalg(L) —> Coalg(B) of P 
and Q are defined by 


f:X>BX => ôxoPf: PX > LPX (2) 
g:Y OLY œ yoQg: QY > BQY (3) 


on objects and act as P and Q on arrows. This is well-defined due to functoriality 
of P and Q and naturality of 6 and t. 


It is shown in [27, Theorem 2.14] that, when ô and ų form an isomorphism, 
the adjunction P + Q lifts to an adjunction P 4 Q between the step-induced 
liftings. For our purposes it will be useful to split the isomorphism condition into 
the cases where « is the left or right inverse of 6. 


Lemma 2.3. If 601 = id, then the counit €: PQ —> ld of the adjunction PAQ 
lifts to a natural transformation €: PQ —> ld. If ¿o 6 = id, then the unit n: Id > 
QP of the adjunction lifts to a natural transformation 7: Id > Q P. 


The combination of these two liftings gives us the lifting of the adjunction. 
Corollary 2.4. If 6 and. form an isomorphism, then P 4Q. 


In such a situation, Q (being a right adjoint) preserves the final coalgebra 
for L (the limit of the empty diagram) when this exists. However, there are a 
number of known examples where the step is not an isomorphism; instead we 
only have a one-sided inverse. We consider, in particular, these invertible steps, 
and in the next subsection give a number of examples of this setting. 


2.2 Steps from weak liftings, and other examples 


Example 2.5. Our first example arises from the work of Garner, who shows that 
the Vietoris monad VY on the category CHaus of compact Hausdorff spaces arises 
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as a so-called weak lifting of the powerset monad [19] (we discuss weak liftings in 
general after this example). For the definition of the Vietoris monad the reader is 
referred to [19, Sec. 2.3]. The category CHaus is equivalent to the Eilenberg-Moore 
category EM(8) of the ultrafilter monad 8 [39]. The weak lifting provided by 
Garner consists of natural transformations 1,6, satisfying 6 ov = id: 


F 
PG Set 1 em (3) Dv py 37 aay (4) 
U 


where F 4 U is the Eilenberg-Moore adjunction of 8. Notice that 6 is an invertible 
step, with right inverse 1. As shown by Garner, a component dx: PUX > UVX, 
sends each subset S € PUX to its topological closure. The components of 1 
simply include the closed subsets into the powerset. 

It turns out that this invertible step gives rise to ultrafilter extensions of 
Kripke frames. In modal logic, ultrafilter extensions [6,20,4] are a construction 
taking a Kripke frame (which we can see as a coalgebra for the powerset functor P) 
with state space W and forming a new Kripke frame with states being ultrafilters 
over W. The central motivation for this is in “bisimilarity-somewhere-else” results: 
two states are modally equivalent iff they are bisimilar in the ultrafilter extension. 

Now, the composition of the step-induced coalgebra liftings F: Coalg(P) > 
Coalg(V) and U: Coalg(V) — Coalg(P), precisely yields the ultrafilter extension 
of a Kripke frame. The first stage 6 is the actual extension, which turns the 
Kripke frame into a V-coalgebra. The second stage U turns this back into a 
Kripke frame, i.e., a powerset coalgebra in Set. 

In [36], ultrafilter extensions are developed more generally for coalgebras for a 
functor B: Set — Set, via the duality between Boolean algebras and Stone spaces. 
In fact, since both V and the left adjoint F restrict to the category Stone of Stone 
spaces, the invertible step 6, restricts to an invertible step in the restriction of 
the above adjunction to Stone. 


In general, for monads S,T on a category C, Garner [19] defines $: EM(T) > 
EM(T) to be a weak lifting of S if there are natural transformations 


UŠ —— SU — UŠ (5) 


with 6 ov = id and satisfying further axioms, where U denotes the forgetful 
functor from EM(T) to C. They show that there is a bijective correspondence 
between weak distributive laws of T over S, and weak liftings of S to EM(T), 
in case idempotents in C split (which holds for Set). Here, we do not assume a 
monad structure on S' (which is why the additional axioms are not relevant). 
In this case, a weak lifting is precisely an invertible step, where the underlying 
adjunction is an Eilenberg-Moore adjunction. 


Example 2.6. In [11,12], a procedure is given for “determinising” probabilistic 
automata (PAs), which model systems with both non-determinism and probabili- 
ties, into belief state transformers. It was shown in [22] that this is an instance 
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of a more general determinisation procedure induced by a weak lifting, which in 
turn corresponds to a canonical weak distributive law. 

Stated for a general monad T with the usual Eilenberg-Moore adjunction 
FAU: EM(T) > C, this general determinisation procedure thus starts from an 
invertible step (weak lifting) 6: BU + UB. This gives rise to a two-step process: 


Coalge (BT) F; Coalge ner) (B) a4 Coalge (B) (6) 


where the second functor U is simply the step-induced lifting of U. The first 
is a variation of a step-induced lifting (notice that it takes BT-coalgebras 
rather than B-coalgebras as input), mapping a coalgebra f: X > BTX to 


FX Z, FBUFX Bre ZES BFX, where ¢ is the counit of the 
Eilenberg-Moore adjunction. In fact, this can be viewed as a step-induced lifting 
for BT which arises by composing ô and the counit, see [41]. 

We instantiate this to the Eilenberg-Moore adjunction of the distribution 
monad D, where Pe is the convex powerset monad: 


F 
PG Set L7 EM(D) DP (7) 
U 


We take P.(X) to have as underlying set {S C X | S convex} following [22]. 
This matches the usage of Phe + 1 and Pe + 1 in [12], where Phe and P. are 
defined to exclude the empty set. A subset is convex if it is closed under convex 
combinations (see |12] for details). Further, the category EM(D) is equivalent to 
the category of convex algebras and convex maps. 

It is explained in [22, Sec. 5] that we have an invertible step in the setting 
of Eq. (7), which sends a subset X to its convex hull (the smallest convex set 
containing X) and that the lifting F of (6) then gives the transformation of a 
probabilistic automaton into a belief state transformer in the category EM(D). 
The second step is then to transfer the obtained belief state transformer back to 
Set with the step-induced lifting of U. As shown in [12] and later recovered from 
our abstract theory (Section 5), this yields a system with the same behaviour. In 
fact, this is done for automata with labels, i.e., for the functors P” and Pe with 
L a set of labels. The weak lifting we will require in this context is given in [21]. 


Example 2.7. The following example from automata and languages considers a 
dual adjunction P 4 Q: DP + C. One motivation to discuss this kind of example 
stems from coalgebraic modal logic where C commonly is some category of ‘spaces’ 
and D commonly is a category of ‘algebras’ [32]. The setup is as follows: 


- 
BC Set + > Set “)r 2L # 4g). 8 2} (8) 
= 


Here, we have BX = 2 x (PX)* and LX =1 + X x X for a fixed alphabet X. 
The step ô is given by 


ôli, £) = {inl(*) | i = 1} U {inr(a, x) |ae Lyx € LJé(a)} (9) 
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This step ô is invertible, e.g., by ų as in Eq. (10). 


u(u) = (1 iff inl(x) € u,a > {v | {(a,x) | £ ev} Cu}) (10) 


A B-coalgebra is a non-deterministic automaton. An L-coalgebra in Set°? is an 
algebra X < 1+ X x X in Set, which can be seen as specifying the initial state 
and transition structure of a deterministic automaton. From this point of view, 
the coalgebra lifting Q: Coalg(L) — Coalg(B) can be seen as first reversing, and 
then performing a powerset construction. The specific powerset construction 
might depend on the chosen right inverse v, as it is not unique. For z as in (10), 
for example, u “> v in Q(A) if and only if each state in v is reachable from a 
state in u via an a-transition in the reverse of A. 


In Section 5 we return to these examples and show how we can apply the 
techniques from Section 4 to obtain preservation and reflection of bisimilarity. 


3 Relations, Liftings and Coalgebraic Bisimulations 


We recall the standard notion of coalgebraic bisimulation defined via relation 

lifting, broadly following [30,28]. Note, we will use some terminology from the 

theory of fibrations to allow us to be more concise and many of the coming results 

can be generalised to a larger class of fibrations, but knowledge of fibrations is 

not required as we give a self-contained presentation of the fibration of relations. 
We make the following assumptions for the remainder of the paper: 


Assumption 3.1. We assume categories C,D with all finite limits, and factori- 
sation systems (E1, Mı), (E2, M2) respectively for which Mı = Monoc, M2 = 
Monop and for any left adjoint functor P: C + D we have P(E,) C E2. 


We assume finite limits mainly for binary products and pullbacks to allow 
the definitions of relations and inverse images. The assumptions that maps in M 
are mono means that pullbacks of abstract monos and factorisation both yield 
monos, which represent subobjects. The final condition specifies that left adjoints 
preserve abstract epis. This is required in Section 4.2 and holds, e.g., when the 
involved categories possess a (RegEpi, Mono)-factorisation system [16,2], as in all 
our examples from Sections 2.2 and 5. 

For a category C satisfying the above, the category Rel(C) consists of: 


— Objects of Rel(C) are subobjects R — X x X of the binary product of the 
object X with itself; 

— A map R= X x X >S»—Y xY in Rel(C) consists of a map u: X > Y 
in C such that there is the following commutative diagram 


[ d an 
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In Set, these are subsets of the binary product of underlying sets as usual, and 
maps between relations constitute maps between the products sending R to S, 
i.e., x Ry implies u(x) S u(y). Objects of Rel(Stone) are closed relations, as the 
image of a mono representing a subobject is homeomorphic to its domain, and 
images of continuous functions are compact and thus closed. In the case of an 
Eilenberg-Moore category for a monad T, objects of Rel(EM(T)) are congruences, 
as the map into the product is an algebra morphism. 


Remark 8.2. A note on notation: we use —» for epis and >—> for monos and the 
subobjects they represent. We use — for abstract epis and >— for abstract 
monos, i.e., maps in € and M respectively. 


Using the factorisation system on D, we lift a functor F: C + D to a functor 
Rel(F’): Rel(C) — Rel(D). The action on objects is given by the factorisation 


PR — Æ s F(X x X) SE) Px x PX 


(12) 
U, Rel(F)(R) {— a J 


The action on arrows is defined by orthogonality. The resulting functor Rel(F) 
is a lifting in the sense that the following diagram commutes 


Rel(c) 2, Rel(D) 


e| |: (13) 
—— p 
where p: Rel(C) > C sends a relation R > X x X to the object X, and similarly 
for q. We say (following the terminology of fibrations) that the relation R is above 
the object X and a map between relations is above the map u from Eq. (11). 
Note that commutativity of diagram (13) expresses that Rel(F), applied to a 
relation R >> X x X on X, yields a relation on FX. 

Given a category of relations Rel(C), called the total category, the subcategory 
(also called a fibre) Relx consists of objects R — X x X and maps above the 
identity on X. For relations in Set, such maps are inclusions of relations. In 
general, these maps are unique, and writing R < S iff there is an arrow from R 
to S turns the fibre into a poset. A relation lifting Rel(F) can be restricted to 
the fibres to give a functor Rel(F)x: Rely — Relpx. Since Rely and Relpx are 
posetal categories, Rel(F)x can be viewed as a monotone map. 

For a map f: X — Y in C, we have the direct image and inverse image 
functors ]];: Rely — Rely and f*: Rely — Relx. For relations on sets, we have 
LR E X x X) = (f(a), fly)) | (wy) € R} and f"(S CY x Y) = {(z,y) € 
X x X | (f(x), f(y)) € S}. More generally, they are obtained as the factorisation 
and pullback in the left and right diagram below respectively 


R——> [],(R) PEs 


e| JH) rof ` | (14) 


xxx $, YxY xxx Č YxY 
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It can further be shown that Į], 4 f*. We say that Rel(F): Rel(C) — Rel(D) 
preserves inverse images if Rel(F) x o f* =(Ff)* oRel(F)y. 

In this context, a bisimulation for a B-coalgebra f: X — BX is a post-fixed 
point of the endofunctor f*o Rel(B)x: Relx — Relx, i.e., a relation R = X x X 
such that R < f* o Rel(B)x(R). Bisimilarity is then obtained as the greatest 
fixed point v(f* o Rel(B)x), if it exists. In Set a bisimulation is a relation R such 
that RC (f x f)~+(Rel(B)(R)), i.e., if z Ry then f(x) Rel(B)(R) f(y). 


4 Preserving and Reflecting Bisimilarity 


In this section we show that, in the presence of an invertible step, bisimilarity 
is preserved and reflected by the step-induced lifting of the right adjoint, given 
some further mild conditions. This allows us to recover a number of existing 
results for concrete instances (Section 5). 

Our approach is as follows: 


— In Section 4.1, we make precise what it means for a monotone map to preserve 
and reflect bisimulations; 

— In Section 4.2, we obtain conditions which ensure that the step-induced 
lifting of the right adjoint to bisimulations preserves and reflects bisimula- 
tions /bisimilarity. 


Throughout this section we assume categories C and D as in Assumption 3.1, and 
an invertible step 6: BQ > QL with right inverse 1: QL > BQ (and P,Q, B,L 
as in Definition 2.1). 


4.1 Preservation and reflection 


We now make precise what it means for a monotone map h to preserve and reflect 
bisimulations. This will be instantiated to bisimulations, captured abstractly as 
post-fixed points of a monotone map f: I’ — I’ on a poset I’, which typically 
consists of relations (Section 3). These are compared against a second type of 
bisimulations, modelled as post-fixed points of another monotone map g: A > A. 
This motivates the following definition. 


Definition 4.1. Let I and A be posets, and f: T >T, g: A— A monotone 
maps. A monotone map h: I’ — A preserves post-fixed points if x < f(x) implies 
h(a) < g(h(x)). It reflects post-fixed points if the converse implication holds. 


In the step setting of Eq. (1), bisimulations for B- and L-coalgebras can be 
represented as post-fixed points of monotone maps on posets of relations as in 
Section 3. More concretely: 


— Bisimulations for an L-coalgebra f: X — LX are post-fixed points of the 
monotone map f* o Rel(L)x: Rely — Relx; 

— Bisimulations for the B-coalgebra tx o Qf: QX — BQX resulting from 
the application of the step-induced lifting of Q are post-fixed points of 
(tx ° Qf) ° Rel(B)gx: Relox => Relox. 
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The two can be compared via the restriction Rel(Q)x: Rely — Relgx of the 
functor Rel(Q). Indeed, our main objective is to show that in the presence of 
an invertible step, Rel(Q)x preserves and reflects post-fixed points representing 
bisimulations, and that it maps the greatest fixed point in Rely (bisimilarity on 
f) to the greatest fixed point in Relgx (bisimilarity on ¿x o Qf). In this context 
we speak about preservation and reflection of bisimulations /bisimilarity. 


4.2 Proof of preservation and reflection 


We are now ready to prove preservation and reflection of bisimilarity, in the sense 
described in the previous subsection. First, the following basic lemma provides a 
method of showing preservation and reflection of post-fixed points, which will be 
useful for our purposes. 


Lemma 4.2. Let I and A be posets, and f: >T, g: A> Aandh: TOA 
monotone maps. Suppose that h has a left (lower) adjoint k: A > I’, and the 
equality gh = hf holds. Then h maps the greatest fixed point of f to the greatest 
fixed point of g, when these exist; h preserves post-fixed points; and if h is 
order-reflecting, then h reflects post-fixed points. 


Categorically speaking, the equality gh = hf is an isomorphic step. Instan- 
tiated to our setting of interest, Lemma 4.2 gives us a method for proving 
preservation and reflection of bisimilarity: it suffices to show each of the following. 


1. A left adjoint for Rel(Q)x (Lemma 4.7). 

2. The equality (vx o Qf)* o Rel(B)gx o Rel(Q)x = Rel(Q)x o f* o Rel(L)x 
(Theorem 4.9). 

3. Order-reflection of Rel(Q)x (assumption; discussed at the end of this section). 


To obtain the required adjunction between the fibres Relx and Relgx, we first 
establish the adjunction Rel(P) 4 Rel(Q) between the total relation categories. 
Given Theorem 3.1, we can lift the unit and counit of the adjunction P 4 Q, 
using the transformations constructed in the following lemma. 


Lemma 4.3. Let F:C +> D and G: D > E be functors, with Rel(F’): Rel(C) > 
Rel(D) and Rel(G): Rel(D) + Rel(€) the corresponding relation liftings. Then 
we have a natural transformation Rel(GF) > Rel(G) Rel(F’). Further, if G pre- 
serves abstract epis, then there is also a natural transformation Rel(G) Rel(F) > 
Rel(GF). Also, the constructed transformations are above the identity. 


We note that the first part is in [28, Exercise 4.4.6] and the result is proved 
for Set endofunctors in [9, Lemma 14.1]. This allows the lifting of the adjunction, 
which we note may also be obtainable from results on fibred adjunctions in [30,26], 
but a direct proof is quite straightforward; the main idea is to use Lemma 4.3 
together with preservation of abstract epis by P. 
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Lemma 4.4. The adjunction P1Q: D —> C lifts to relations, i.e., the following 
diagram is commutative, and the unit and counit of the upper adjunction are 
above the unit and counit of PAQ. 


Rel(P) 


The relation lifting defined in Section 3 allows us to define endofunctors 
Rel(B), Rel(Z) in the context of the above adjunction: 


pace) 


Rel(B) Ç Rel(C) <-L > Rel(D) D Re) (16) 
RaO) 


In this setting, we may try to lift the step 6 or its converse ų to this adjunction. 
It turns out that ô always lifts. For 1, there is a sufficient condition which is 
independent of v itself: that Q preserves abstract epis. In both cases, this result 
follows essentially from Lemma 4.3. 


Proposition 4.5. For a forward step 6 and backward step 1, we have: 


1. 6 lifts to relations, i.e., there exists a natural transformation 6: Rel(B) o 
Rel(Q) — Rel(Q) o Rel(L) above ô. 
2. If Q preserves abstract epis, then vu lifts to relations, i.e., there exists a natural 


transformation T: Rel(Q) o Rel(Z) — Rel(B) o Rel(Q) above v. 


The condition that Q preserves abstract epis holds, e.g., in case it is the 
forgetful functor in an adjunction monadic over Set. This is because Eilenberg- 
Moore categories of monads on Set have (RegEpi, Mono)-factorisation systems, and 
the forgetful functor sends regular epis to epis in Set as discussed in [13, Example 
2.3]. It also holds in the Stone-Set case, as Stone is a reflective subcategory of 
CHaus (which is equivalent to the category of algebras for the ultrafilter monad). 

The lifted steps 6 and 7 give step-induced liftings of Rel(P) and Rel(Q) 
between Coalg(Rel(B)) and Coalg(Rel(Z)). Since bisimulations can be equivalently 
presented as coalgebras for Rel(B) and Rel(Z), these liftings can be used to capture 
preservation of bisimulations. But it is less obvious what reflection means in this 
context and how to prove it. For reflection of bisimulations by Rel(Q), we turn 
our attention to the fibres, as described in the beginning of this section. 

As a consequence of Proposition 4.5 and of 6 01 = id, we obtain the following 
result, which will later be used in the construction of a step on the fibres. 


Lemma 4.6. Let 6 be an invertible step with right inverse 1, and suppose Q 
preserves abstract epis. Then Rel(Q)zx © Rel(L) x = i% o Rel(B)gx o Rel(Q)x 
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Adjoining the fibres Next, we construct an adjunction between the fibres 
Rely and Relgx. The usual restriction Rel(Q)x of Rel(Q) to the fibre Relx 
will be the right adjoint, similarly to the adjunction obtained earlier. To map 
back into the fibre Rely, we post-compose Rel(P)gx with [[., the direct image 
functor obtained from the counit of the adjunction Rel(P) 4 Rel(Q). We note the 
similarity with results on fibred adjunctions in [30], where only adjunctions over 
a single base category are considered. 


Lemma 4.7. We have an adjunction ||, o Rel(P)gx 4 Rel(Q)x: Relx — Relax. 


The above lemma fulfils the first proof obligation stated in the beginning of 
Section 4.2. It now remains to show the second proof obligation, i.e., that we 
have an isomorphic step in the following setting: 


Iis o Rel(P)Qox 
(ex0Qf)*oRel(B)ax G Relox ees Relx 5) f*oRel(L) x (17) 
Rel(Q)x 


To this end, we first show that Rel(Q) preserves inverse images, using the fact 
that we can obtain inverse images as pullbacks inside the category of relations. 
Since Rel(Q) is a right adjoint, it preserves these pullbacks. 


Lemma 4.8. Rel(Q) preserves inverse images. 
We are now ready to show the existence of the required isomorphic step. 
Theorem 4.9. If Q preserves abstract epis, then for any L-coalgebra (X, f): 
(tx o Qf)“ o Rel(B)gx o Rel(Q) x = Rel(Q)x o f* o Rel(L) x (18) 


Proof. We have 


(vx ° Qf)” o Rel(B)gx 0 Rel(Q)x = (Qf)* o ix o Rel(B)ox oRel(Q)x (19) 

= (Qf)* o Rel(Q)zx o Rel(L) x (20) 

= Rel(Q)x o f* o Rel(L) x (21) 

where Eq. (19) is an application of a basic fact on inverse images (technically, 


that the poset fibration of relations is split), Eq. (20) holds by Lemma 4.6, and 
Eq. (21) holds by Lemma 4.8. 


We now reach our main result on preservation and reflection of bisimulations 


and bisimilarity by Rel(Q)x 


Theorem 4.10. Let (X, f) be an L-coalgebra. Suppose that Q preserves abstract 
epis. Then Rel(Q) x maps bisimilarity on (X, f) (when it exists) to bisimilarity on 
Q(X, f). Further, Rel(Q)x preserves bisimulations and, if it is order-reflecting, 
also reflects bisimulations. 
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Proof. We have seen in Lemma 4.7, that Rel(Q)x has a left adjoint, and in 
Theorem 4.9, that in this setting we have an isomorphic step. The result now 
follows from Lemma 4.2. 


While this result is formulated in terms of Rel(Q)x, we will also speak of 
simply Q preserving and reflecting both bisimulations and bisimilarity. 

As a special case of Theorem 4.10, we recover (a version of) the following 
existing result found in [42,3,11,12]. 


Lemma 4.11. Assume functors B,L:C — C, and a natural transformation 
ıı: L + B. Then the functor Id: Coalg(L) — Coalg(B) defined by (X, f) = 
(X,ox o f) on objects and identity on morphisms, preserves bisimulations. If 
additionally « has a left inverse, Id reflects bisimulations. 


We briefly turn to the condition of order-reflectingness. As we are often 
interested in cases where the right adjoint is a forgetful functor in the context of 
an Eilenberg-Moore adjunction, it is useful to state the following. 


Lemma 4.12. For a monad T with forgetful functor U: EM(T) > C, the (re- 
stricted) lifting Rel(U)x is an order-reflecting map. 


If C = Set in the above lemma, then Rel(U) x is just the inclusion of the poset 
of congruences Relx on an algebra X into the poset of all relations on its carrier. 

In that case, we can also use the above to show preservation and reflection 
of behavioural equivalence. Two states of a coalgebra (in Set) are behaviourally 
equivalent if they can be identified by some coalgebra homomorphism. This can 
be captured more abstractly using kernel bisimulations (see, e.g., [44]). Since U 
is assumed to be a forgetful functor to Set, we simply define preservation and 
reflection of behavioural equivalence by U to mean that for any two states x,y 
of an L-coalgebra (X, f), z and y are behaviourally equivalent (for (X, f)) if and 
only if they are behaviourally equivalent for U(X, f). 

It turns out that, in our setting, coincidence of bisimilarity and behavioural 
equivalence for L-coalgebras reduces to coincidence for B-coalgebras. This is 
stated in the following lemma; the essence is that U is easily shown to preserve 
behavioural equivalence. 


Lemma 4.13. For a monad T, consider the Eilenberg-Moore adjunction F 4 
U: EM(TL) > Set with functors L: EM(T) + EM(T) and B: Set > Set, and 
an invertible step 5: BU + UL. Further suppose that U preserves and reflects 
bisimilarity, and that B preserves weak pullbacks. Then bisimilarity and be- 
havioural equivalence for L-coalgebras coincide (and hence, U preserves and 
reflects behavioural equivalence). 


Remark 4.14. We conclude with a brief exploration of preservation and reflection 
by the restriction of the left adjoint Rel(P).x, in the setting of 


f*oRel(B)x G Rely ZOX, Rel px D (GxoPf)"oRel(L) px (22) 
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with f: X — BX a B-coalgebra in this case. Here, we can obtain a backward 
step Rel(P)x o f* o Rel(B)x < (dx o Pf)* o Rel(L)px o Rel(P)x which means 
that we can lift Rel(P)x to bisimulations, so that these are preserved. However, 
we cannot obtain a forward step in this context, thus reflection will not hold. This 
is illustrated, e.g., by the example of ultrafilter extensions, where the ultrafilter 
monad £ certainly does not reflect bisimulations: in general, in the ultrafilter 
extension more states will be bisimilar. 


5 Applications 


Now that we have obtained conditions for the preservation and reflection of 
bisimilarity, we return to the examples of Section 2.2. We will show how a number 
of existing non-trivial results can be recovered in a concise way. Further, the 
Set-Stone adjunction used in the first example is known to not be monadic, and 
so outside the scope of weak liftings, which indicates the generality of our results. 


Ultrafilter Extensions and Vietoris bisimulations In Example 2.5, we 
have seen how the construction of ultrafilter extensions can be obtained from 
an invertible step, which arises from a weak lifting described by Garner. In the 
current treatment of reflection and preservation of bisimilarity, we focus on the 
restriction of this invertible step to the category Stone. 

This brings us in line with [5], where a comparison is made between bisimilarity 
for the Vietoris functor V : Stone — Stone and bisimilarity for the powerset functor 
P: Set > Set, called Vietoris-bisimilarity and Kripke-bisimilarity respectively in 
op. cit. More precisely, for a Y-coalgebra (X, f), Kripke bisimilarity is bisimilarity 
on U(X, f), where U is the step-induced lifting of the forgetful functor U : Stone > 
Set. Vietoris bisimilarity is simply bisimilarity on the coalgebra (X, f) itself. 

We consider the following results from [5]: 


1. The relation liftings of P and V coincide for closed subsets |5, Prop 3.4] 

2. Vietoris bisimulations are equivalently closed Kripke bisimulations [5, Thm 3.6] 
3. The closure of a Kripke bisimulation is a Vietoris bisimulation [5, Thm 5.2] 
4. Vietoris- and Kripke-bisimilarity are equivalent [5, Cor 3.10} 


From the above discussion, we see that these results fit into the setting of 
Section 4, so that they can be recovered using our results on the preservation 
and reflection of bisimilarity as follows: 


1. This follows from the equality of Lemma 4.6, as the action of v* is exactly 
the restriction to closed subsets. We can apply this lemma as U preserves 
abstract epis, due to the same argument as for adjunctions monadic over Set 
(see the discussion after Proposition 4.5), as Stone is also a regular category. 

2. For this, we use preservation and reflection of bisimulations by the (restricted) 
relation lifting Rel(U)x: Rely — Relyx of the forgetful functor, which is 
simply the inclusion of the poset of closed relations on a Stone space X to 
that of all relations on the underlying set. 
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Indeed, preservation and reflection by Rel(U) x follows from Theorem 4.10. 
We have seen that U : Stone — Set preserves abstract epis, so it only remains 
to check that Rel(U)x is order-reflecting. This holds because Stone is a 
reflective (i.e. full) subcategory of CHaus, which is monadic over Set. 

3. The left adjoint J [, 0 Rel(3)yx of Lemma 4.7 gives the closure of a relation. 
Its lifting to bisimulations (cf. Remark 4.14) yields the desired result. 

4. This holds since Rel(U)x maps the greatest fixed point of (tx o Uf)* o 
Rel(P)ux to that of f* o Rel(V)x, i.e., it preserves and reflects bisimilarity. 


PAs and Belief State Transformers As discussed in Example 2.6, we can 
determinise a PA to a coalgebra for the convex powerset functor P.: EM(D) > 
EM(D) using a lifting of F: Set + EM(D). The step-induced lifting of the 
corresponding forgetful functor U: EM(D) — Set maps the P.-coalgebra back 
into Set, but we must take care that this does not change its behaviour. What 
we can do now, is show that bisimilarity is preserved and reflected. 

Once we know this, we can apply Lemma 4.13 to show the coincidence of 
bisimilarity and behavioural equivalence in the case of the convex powerset functor 
on EM(D) and the powerset functor on Set as this preserves weak pullbacks. 
This coincidence is relevant for the generalisation of the corresponding results 
of [12] (restricted to the convex powerset functor), which are formulated in terms 
of behavioural equivalence. As mentioned in Example 2.6, the weak lifting we 
require to cover automata with labels can be found in [21]. Consider the following: 


1. The lifting of the forgetful functor U: EM(D) — Set preserves and reflects 
behavioural equivalence on P£-coalgebras [12, Proposition 6.6]. 

2. A relation R is a kernel bisimulation for a P¥-coalgebra (S,c) in EM(D) iff 
it is a kernel bisimulation for U(S,c) and also a congruence. 


Again, we can apply the results of Section 4 to recover these results. In fact, 
in [12, Proposition 6.5], the second result is proved more generally, namely for 
settings where a so-called lax lifting exists rather than the weak lifting we require. 


1. We have seen that U preserves abstract epis as the adjunction in question is 
monadic over Set. This allows us to apply Theorem 4.10 so that U indeed 
preserves and reflects bisimulations, and the relevant lifting preserves and 
reflects bisimilarity. From Lemma 4.13, it follows that U also preserves and 
reflects behavioural equivalence. 

2. Assuming (S,c) is a P£-coalgebra, this follows from Lemma 4.13 together 
with the previous item, and the fact that bisimulations in Eilenberg-Moore 
categories are congruences. 


Automata For a different instance, we revisit Example 2.7 and consider the 
basic adjunction P 4 Q: DP — C. As a general remark, we note that if D admits 
a factorization system (€,M) with £ a class of epis, and M a class of monos, 
then (M,€) forms a factorization system for DP, with M a class of epis in DOP, 
and £ a class of monos in DP. We can explicitly describe Rel(D°?) as follows: 
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— Objects of Rel(D°?) are quotients X +X > EF of X + X; 
— A map X + X > E >Y +Y — F consists of a map u: Y > X in D such 
that there is the following commutative diagram 


j Î (23) 


In the case D = Set, € = Epi and M = Mono. Further, every epi e: X + X > E 
is isomorphic to an epi of the form X + X —> (X + X)/~ with ~ an equivalence 
relation on X + X. This gives us an equivalent description of Rel(Set°P): 


— Objects of Rel(Set°?) are equivalence relations ~ on X + X for a set X; 
— A map ~ C (X +X? => xC (Y +Y}? consists of a map u: Y > X such 
that if ily) = j'(y'), then jluly)) ~ j'(uly’)), with 7,7’ arbitrary coproduct 
inclusions. 
In particular, we see that the fibre over a set X consists of all equivalence relations 
on X + X, ordered by reverse inclusion. Reindexing along a map u: X = Y 
maps an equivalence relation ~ on Y + Y to the least equivalence relation ~ on 
X + X, such that j(u(y)) ~ 7’(u(y’)) for all j(y) ~ j'y’). 

Focusing on the setting of (8) in Example 2.7, the lifting Rel(Z) is given by 


inl(x) Rel(L)(~) inr(*) (24) 
J((a,a)) Rel(L)(~) 7’((b,)) <=> a=b and j(x) ~ j'(y) (25) 


If f: X <— 1+ x X is an L-coalgebra, we see that f* o Rel(L)x maps an 
equivalence relation ~ on X + X to the least equivalence relation ~ satisfying 


inl(f(*)) ~ inr(f(*)) (26) 
J(f(a,2)) = j’ (F(a, y)) whenever j(x) ~ j"(y) (27) 


A post-fixed point of this map is an equivalence relation ~ which relates inl(f(*)) 
and inr(f(x)) and is closed under the action of X on X + X. The greatest post- 
fixed point is the least such relation, as relations in Relx are ordered by reverse 
inclusion. It is easy to see that this is exactly the relation which identifies inl(a) 
and inr(a) for those x reachable from f(x). 

Rel(Q), meanwhile, maps an equivalence relation ~ on X + X to the relation 
R on 2* given by 


uRv <> inlfu] Uinr[v] is ~-closed (28) 
If X’ is the set of reachable states, we conclude that Rel(Q) maps the greatest 
bisimulation ~ to the relation 


uRv == un X' =n X (29) 


The functor Q preserves (abstract) epis, as all epis in Set are regular. Now, 
Theorem 4.10 tells us that the relation (29) coincides with bisimilarity on the 
automaton Q(X, f) from Example 2.7. It follows that the subautomaton on 2* 
is minimal, and is the minimal automaton equivalent to Q(X, f). 
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6 Discussion and Future Work 


We studied the notion of an invertible step, which provides several constructions 
on coalgebras via functor liftings. We showed that the lifting of the right adjoint, 
induced by such an invertible step, preserves and reflects bisimilarity. This 
abstract result instantiates to several concrete results from the literature, in 
examples related to ultrafilter extensions and weak distributive laws. 

We have focused on preservation and reflection of bisimilarity, defined in terms 
of relation lifting. There are several other coalgebraic notions of behavioural 
equivalence and bisimilarity [44]|—we discuss these in the next subsection. Finally, 
in Section 6.2 we list directions for future work. 


6.1 Remarks on other notions of bisimulation 


Aczel-Mendler bisimulations For a coalgebra f: X — LX, an Aczel-Mendler 
bisimulation R — X x X is defined by the existence of an L-coalgebra structure 
R —> LR on R such that the projection maps are coalgebra homomorphisms [1]. 

In the invertible step setting, applying a lifting Q to such a bisimulation, 
yields a structure QR — BQR. However, this is not immediately a bisimulation, 
as QR may not be a relation. We can obtain a relation by taking the image of 
(Q71, Q72) as we do to define relation lifting, but in general this is a Hermida- 
Jacobs bisimulation [28, Exercise 4.5.2], rather than an Aczel-Mendler one. 

On the other hand, if we wish to speak of reflection of Aczel-Mendler bisimu- 
lations, we start with a span QX «+ R —> QX and try to construct a relation on 
X. Using the adjunction of the step setting, we can transpose the projections to 
obtain a span X + PR —> X. Again PR is not immediately a relation in general, 
and taking the image yields a Rel(Z)-coalgebra (not an L-coalgebra) as the 
projections and the counit £ are coalgebra homomorphisms (see also [28, Exercise 
4.5.4]). This in fact comes down to the same as the left adjoint ] [, o Rel(P)gx 
constructed earlier. There we factorise to obtain the relation lifting and factorise 
again for the direct image of £, instead of factorising the paired transposes defined 
using £. We also do not explicitly use that £ is a coalgebra homomorphism (al- 
though this follows from the step with right inverse and Lemma 2.3); instead we 
lift the adjunction at the level of relations to give a map between bisimulations. 
This is part of the motivation for the use of relation liftings and the corresponding 
notion of bisimulations. 

Going further, it is shown in [5] that there exists a Vietoris bisimulation which 
is not an Aczel-Mendler bisimulation and, stronger, that there exist Vietoris 
coalgebras with states which can be related by a Vietoris but not an Aczel- 
Mendler bisimulation. Thus, the correspondences between bisimulations on Set 
and Stone we have discussed in the previous sections are not obtainable when we 
consider Aczel-Mendler bisimulations. 


Kernel bisimulations/behavioural equivalence In applying our results to 
the preservation and reflection of behavioural equivalence, we currently work 
concretely; considering sets of states and identification of elements. 
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We prefer to work more abstractly, as we have done for bisimilarity. To this 
end, we may consider kernel bisimulations. A relation R — X x X is a kernel 
bisimulation on a coalgebra (X, f: X —> LX) in a category D, if it is the pullback 
of morphisms X —> Z + X in D forming a cospan of coalgebra homomorphisms 
(X, f) > (Z,z) + (X, f) in Coalgp(ZL). In a concrete setting this coincides with 
behavioural equivalence, as such a pullback contains exactly the pairs of elements 
of X which are identified in Z by the morphisms forming the cospan. We can 
thus view this as a generalisation of behavioural equivalence as defined earlier. 

Assuming an invertible step 6: BQ —> QL, we would like to relate R to a 
kernel bisimulation on the coalgebra Q(X, f) obtained by applying the step- 
induced lifting of Q. Applying Q to the pullback square for R yields a pullback 
square as Q is a right adjoint. However, as in our discussion of Aczel-Mendler 
bisimulations, this may not be a relation. We may try to also use relation liftings 
here, and take Rel(Q)(R) instead of Q(R), however this may no longer be a 
pullback. It is not currently clear to us how to resolve these problems in general. 


6.2 Future work 


There are several further directions for future work. First, in this paper we focused 
primarily on fibrations of relations, which suffice for our purposes of studying 
bisimilarity. However, we expect that some of our results can be generalised to 
arbitrary (posetal) fibrations. Such a generalisation could be the basis to study 
preservation and reflection of other coinductive predicates and relations than 
bisimilarity, which can be formulated in terms of fibrations and liftings (e.g., [25]). 

Secondly, while we have shown in Section 5 how our results can be used 
to recover the central results from [5], the latter have been generalised in two 
directions: the recent [24] considers bisimulations for Vietoris coalgebras on 
the category of arbitrary topological spaces, while [18] develops a notion of 
neighbourhood bisimulation for coalgebras that allows to generalise the results 
from [5] to a large variety of functors on the category of Stone spaces and their 
corresponding functors on Set. We would like to understand whether or not our 
framework is able to recover these generalisations. 

Finally, the examples that we have studied in this paper do not yet exploit the 
full generality of invertible steps: our main motivating examples are based on an 
Eilenberg-Moore adjunction (or close, as in the example based on Stone spaces). 
In [41] it is shown that steps are relevant in a much wider setting, for instance 
when based on a Kleisli adjunction or on contravariant adjunctions and dualities. 
The latter type of steps are relevant for coalgebraic modal logics—we have studied 
a first instance in our example of deterministic and non-deterministic automata. 
Investigating the meaning of invertible steps in these other types of adjunctions 
is left for future work. 
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Abstract. Safety and liveness are elementary concepts of computation, 
and the foundation of many verification paradigms. The safety-liveness 
classification of boolean properties characterizes whether a given prop- 
erty can be falsified by observing a finite prefix of an infinite computation 
trace (always for safety, never for liveness). In quantitative specification 
and verification, properties assign not truth values, but quantitative val- 
ues to infinite traces (e.g., a cost, or the distance to a boolean property). 
We introduce quantitative safety and liveness, and we prove that our def- 
initions induce conservative quantitative generalizations of both (1) the 
safety-progress hierarchy of boolean properties and (2) the safety-liveness 
decomposition of boolean properties. In particular, we show that every 
quantitative property can be written as the pointwise minimum of a 
quantitative safety property and a quantitative liveness property. Con- 
sequently, like boolean properties, also quantitative properties can be 
min-decomposed into safety and liveness parts, or alternatively, max- 
decomposed into co-safety and co-liveness parts. Moreover, quantitative 
properties can be approximated naturally. We prove that every quan- 
titative property that has both safe and co-safe approximations can be 
monitored arbitrarily precisely by a monitor that uses only a finite num- 
ber of states. 


1 Introduction 


Safety and liveness are elementary concepts in the semantics of computation [39]. 
They can be explained through the thought experiment of a ghost monitor—an 
imaginary device that watches an infinite computation trace at runtime, one 
observation at a time, and always maintains the set of possible prediction values 
to reflect the satisfaction of a given property. Let @ be a boolean property, 
meaning that ® divides all infinite traces into those that satisfy ®, and those that 
violate ®. After any finite number of observations, True is a possible prediction 
value for ® if the observations seen so far are consistent with an infinite trace 
that satisfies ®, and False is a possible prediction value for ® if the observations 
seen so far are consistent with an infinite trace that violates 6. When True is no 
possible prediction value, the ghost monitor can reject the hypothesis that ® is 
satisfied. The property ® is safe if and only if the ghost monitor can always reject 
the hypothesis @ after a finite number of observations: if the infinite trace that is 
being monitored violates ®, then after some finite number of observations, True is 
no possible prediction value for &. Orthogonally, the property @ is live if and only 
if the ghost monitor can never reject the hypothesis @ after a finite number of 
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observations: for all infinite traces, after every finite number of observations, True 
remains a possible prediction value for ®. 


The safety-liveness classification of properties is fundamental in verification. 
In the natural topology on infinite traces—the “Cantor topology”—the safety 
properties are the closed sets, and the liveness properties are the dense sets [4]. 
For every property ®, the location of @ within the Borel hierarchy that is in- 
duced by the Cantor topology—the so-called “safety-progress hierarchy” [17|— 
indicates the level of difficulty encountered when verifying ®. On the first level, 
we find the safety and co-safety properties, the latter being the complements of 
safety properties, i.e., the properties whose falsehood (rather than truth) can 
always be rejected after a finite number of observations by the ghost monitor. 
More sophisticated verification techniques are needed for second-level properties, 
which are the countable boolean combinations of first-level properties—the so- 
called “response” and “persistence” properties [17]. Moreover, the orthogonality 
of safety and liveness leads to the following celebrated fact: every property can be 
written as the intersection of a safety property and a liveness property [4]. This 
means that every property ® can be decomposed into two parts: a safety part— 
which is amenable to simple verification techniques, such as invariants—and a 
liveness part—which requires heavier verification paradigms, such as ranking 
functions. Dually, there is always a disjunctive decomposition of ® into co-safety 
and co-liveness. 


So far, we have retold the well-known story of safety and liveness for boolean 
properties. A boolean property ® is formalized mathematically as the set of infi- 
nite computation traces that satisfy ®, or equivalently, the characteristic function 
that maps each infinite trace to a truth value. Quantitative generalizations of 
the boolean setting allow us to capture not only correctness properties, but also 
performance properties [31]. In this paper we reveal the story of safety and live- 
ness for such quantitative properties, which are functions from infinite traces to 
an arbitrary set D of values. In order to compare values, we equip the value 
domain D with a partial order <, and we require (D, <) to be a complete lattice. 
The membership problem [18] for an infinite trace f and a quantitative property 
® asks whether (f) > v for a given threshold value v € D. Correspondingly, 
in our thought experiment, the ghost monitor attempts to reject hypotheses of 
the form (f) > v, which cannot be rejected as long as all observations seen 
so far are consistent with an infinite trace f with (f) > v. We will define & 
to be a quantitative safety property if and only if every hypothesis of the form 
D(f) > v can always be rejected by the ghost monitor after a finite number of 
observations, and we will define ® to be a quantitative liveness property if and 
only if some hypothesis of the form (f) > v can never be rejected by the ghost 
monitor after any finite number of observations. We note that in the quantita- 
tive case, after every finite number of observations, the set of possible prediction 
values for ® maintained by the ghost monitor may be finite or infinite, and in 
the latter case, it may not contain a minimal or maximal element. 


Let us give a few examples. Suppose we have four observations: observation 
rq for “request a resource,” observation gr for “grant the resource,” observa- 
tion tk for “clock tick,” and observation oo for “other.” The boolean property 
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Resp requires that every occurrence of rq in an infinite trace is followed even- 
tually by an occurrence of gr. The boolean property NoDoubleReq requires that 
no occurrence of rq is followed by another rq without some gr in between. The 
quantitative property MinRespTime maps every infinite trace to the largest num- 
ber k such that there are at least k occurrences of tk between each rq and the 
closest subsequent gr. The quantitative property MaxRespTime maps every in- 
finite trace to the smallest number k such that there are at most k occurrences 
of tk between each rq and the closest subsequent gr. The quantitative property 
AvgRespTime maps every infinite trace to the lower limit value lim inf of the in- 
finite sequence (v;);>1, where v; is, for the first i occurrences of tk, the average 
number of occurrences of tk between rq and the closest subsequent gr. Note that 
the values of AvgRespTime can be oo for some computations, including those for 
which the value of Resp is True. This highlights that boolean properties are not 
embedded in the limit behavior of quantitative properties. 


The boolean property Resp is live because every finite observation sequence 
can be extended with an occurrence of gr. In fact, Resp is a second-level liveness 
property (namely, a response property), because it can be written as a countable 
intersection of co-safety properties. The boolean property NoDoubleReq is safe 
because if it is violated, it will be rejected by the ghost monitor after a finite 
number of observations, namely, as soon as the ghost monitor sees a rq followed 
by another occurrence of rq without an intervening gr. According to our quan- 
titative generalization of safety, MinRespTime is a safety property. The ghost 
monitor always maintains the minimal number k of occurrences of tk between 
any past rq and the closest subsequent gr seen so far; the set of possible predic- 
tion values for MinRespTime is always {0,1,...,k}. Every hypothesis of the form 
“the MinRespTime-value is at least v” is rejected by the ghost monitor as soon 
as k < v; if such a hypothesis is violated, this will happen after some finite num- 
ber of observations. Symmetrically, the quantitative property MaxRespTime is 
co-safe, because every wrong hypothesis of the form “the MaxRespTime-value is 
at most v” will be rejected by the ghost monitor as soon as the smallest possible 
prediction value for MaxRespTime, which is the maximal number of occurrences 
of tk between any past rq and the closest subsequent gr seen so far, goes above v. 
By contrast, the quantitative property AvgRespTime is both live and co-live be- 
cause no hypothesis of the form “the AvgRespTime-value is at least v,” nor of the 
form “the AvgRespTime-value is at most v,” can ever be rejected by the ghost 
monitor after a finite number of observations. All nonnegative real numbers and 
co always remain possible prediction values for AvgRespTime. Note that a ghost 
monitor that attempts to reject hypotheses of the form &(f) > v does not need 
to maintain the entire set of possible prediction values, but only the sup of the set 
of possible prediction values, and whether or not the sup is contained in the set. 
Dually, updating inf (and whether it is contained) suffices to reject hypotheses 
of the form (f) < v. 


By defining quantitative safety and liveness via ghost monitors, we not only 
obtain a conservative and quantitative generalization of the boolean story, but 
also open up attractive frontiers for quantitative semantics, monitoring, and ver- 
ification. For example, while the approximation of boolean properties reduces to 
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adding and removing traces to and from a set, the approximation of quantitative 
properties offers a rich landscape of possibilities. In fact, we can approximate 
the notion of safety itself. Given an error bound a, the quantitative property & 
is a-safe if and only if for every value v and every infinite trace f whose value 
@(f) is less than v, all possible prediction values for ® are less than v + a after 
some finite prefix of f. This means that, for an a-safe property ®, the ghost 
monitor may not reject wrong hypotheses of the form (f) > v after a finite 
number of observations, once the violation is below the error bound. We show 
that every quantitative property that is both a-safe and (-co-safe, for any fi- 
nite a and 6, can be monitored arbitrarily precisely by a monitor that uses only 
a finite number of states. 

We are not the first to define quantitative (or multi-valued) definitions of 
safety and liveness [41,27]. While the previously proposed quantitative gener- 
alizations of safety share strong similarities with our definition (without coin- 
ciding completely), our quantitative generalization of liveness is entirely new. 
The definitions of [27] do not support any safety-liveness decomposition, be- 
cause their notion of safety is too permissive, and their liveness too restrictive. 
While the definitions of [41] admit a safety-liveness decomposition, our definition 
of liveness captures strictly fewer properties. Consequently, our definitions offer 
a stronger safety-liveness decomposition theorem. Our definitions also fit natu- 
rally with the definitions of emptiness, equivalence, and inclusion for quantitative 
languages [18]. 


Overview. In Section 2, we introduce quantitative properties. In Section 3, we 
define quantitative safety as well as safety closure, namely, the property that 
increases the value of each trace as little as possible to achieve safety. Then, we 
prove that our definitions preserve classical boolean facts. In particular, we show 
that a quantitative property ® is safe if and only if & equals its safety closure 
if and only if ® is upper semicontinuous. In Section 4, we generalize the safety- 
progress hierarchy to quantitative properties. We first define limit properties. For 
£ € {inf, sup, lim inf, lim sup}, the class of ¢-properties captures those for which 
the value of each infinite trace can be derived by applying the limit function £ to 
the infinite sequence of values of finite prefixes. We prove that inf-properties co- 
incide with safety, sup-properties with co-safety, lim inf-properties are suprema 
of countably many safety properties, and lim sup-properties infima of countably 
many co-safety properties. The lim inf-properties generalize the boolean persis- 
tence properties of [17]; the limsup-properties generalize their response prop- 
erties. For example, AvgRespTime is a liminf-property. In Section 5, we intro- 
duce quantitative liveness and co-liveness. We prove that our definitions preserve 
the classical boolean facts, and show that there is a unique property which is 
both safe and live. As main result, we provide a safety-liveness decomposition 
that holds for every quantitative property. In Section 6, we define approximate 
safety and co-safety. We generalize the well-known unfolding approximation of 
discounted properties for approximate safety and co-safety properties over the 
extended reals. This allows us to provide a finite-state approximate monitor for 
these properties. In Section 7, we conclude with future research directions. For 
complete proofs of all results, we refer the reader to the full version of the paper. 
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Related Work. The notions of safety and liveness for boolean properties ap- 
peared first in [39] and were later formalized in [4], where safety properties were 
characterized as closed sets of the Cantor topology on infinite traces, and liveness 
properties as dense sets. As a consequence, the seminal decomposition theorem 
followed: every boolean property is an intersection of a safety property and a 
liveness property. A benefit of such a decomposition lies in the difference between 
the mathematical arguments used in their verification. While safety properties 
enable simpler methods such as invariants, liveness properties require more com- 
plex approaches such as well-foundedness [42,5]. These classes were characterized 
in terms of Biichi automata in [5] and in terms of linear temporal logic in [46]. 


The safety-progress classification of boolean properties [17] proposes an or- 
thogonal view: rather than partitioning the set of properties, it provides a hi- 
erarchy of properties starting from safety. This yields a more fine-grained view 
of nonsafety properties which distinguishes whether a “good thing” happens at 
least once (co-safety or “guarantee”), infinitely many times (response), or even- 
tually always (persistence). This classification follows the Borel hierarchy that 
is induced by the Cantor topology on infinite traces, and has corresponding pro- 
jections within properties that are definable by finite automata and by formulas 
of linear temporal logic. 

Runtime verification, or monitoring, is a lightweight, dynamic verification 
technique [6], where a monitor watches a system during its execution and tries 
to decide, after each finite sequence of observations, whether the observed finite 
computation trace or its unknown infinite extension satisfies a desired property. 
The safety-liveness dichotomy has profound implications for runtime verification 
as well: safety is easy to monitor [28], while liveness is not. An early definition of 
boolean monitorability was equivalent to safety with recursively enumerable sets 
of bad prefixes [35]. The monitoring of infinite-state boolean safety properties 
was later studied in [26]. A more popular definition of boolean monitorabil- 
ity [44,8] accounts for both truth and falsehood, establishing the set of moni- 
torable properties as a strict superset of finite boolean combinations of safety and 
co-safety [23]. Boolean monitors that use the set possible prediction values can 
be found in [7]. The notion of boolean monitorability was investigated through 
the safety-liveness lens in [43] and through the safety-progress lens in [23]. 


Quantitative properties (a.k.a. “quantitative languages”) [18] extend their 
boolean counterparts by moving from the two-valued truth domain to richer 
domains such as real numbers. Such properties have been extensively studied 
from a static verification perspective in the past decade, e.g., in the context 
of model-checking probabilistic properties [38,37], games with quantitative ob- 
jectives [10,15], specifying quantitative properties [11,1], measuring distances 
between systems [2,16,22,29], best-effort synthesis and repair [9,20], and quan- 
titative analysis of transition systems [47,14,21,19]. More recently, quantitative 
properties have been also studied from a runtime verification perspective, e.g., for 
limit monitoring of statistical indicators of infinite traces [25] and for analyzing 
resource-precision trade-offs in the design of quantitative monitors [33,30]. 


To the best of our knowledge, previous definitions of (approximate) safety 
and liveness in nonboolean domains make implicit assumptions about the spec- 
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ification language [48,34,24,45]. We identify two notable exceptions. In [27], the 
authors generalize the framework of [43] to nonboolean value domains. They 
provide neither a safety-liveness decomposition of quantitative properties, nor a 
fine-grained classification of nonsafety properties. In [41], the authors present a 
safety-liveness decomposition and some levels of the safety-progress hierarchy on 
multi-valued truth domains, which are bounded distributive lattices. Their mo- 
tivation is to provide algorithms for model-checking properties on multi-valued 
truth domains. We present the relationships between their definitions and ours 
in the relevant sections below. 


2 Quantitative Properties 


Let X = {a,b,...} be a finite alphabet of observations. A trace is an infinite 
sequence of observations, denoted by f,g,h € &”, and a finite trace is a finite 
sequence of observations, denoted by s,r,t € X*. Given s € X* and w E€ S*UL*, 
we denote by s < w (resp. s < w) that s is a strict (resp. nonstrict) prefix of w. 
Furthermore, we denote by |w| the length of w and, given a € X, by |w|, the 
number of occurrences of a in w. 

A value domain D is a poset. Unless otherwise stated, we assume that D is 
a nontrivial (i.e., L Æ T) complete lattice and, whenever appropriate, we write 
0,1,—0co,0oo instead of L and T for the least and the greatest elements. We 
respectively use the terms minimum and maximum for the greatest lower bound 
and the least upper bound of finitely many elements. 


Definition 1 (Property). A quantitative property (or simply property) is a 
function ® : X” — D from the set of all traces to a value domain. 


A boolean property P C S™ is defined as a set of traces. We use the boolean 
domain B = {0,1} with 0 < 1 and, in place of P, its characteristic property 
Pp: X” — B, which is defined by @p(f) =1 if f € P, and @p(f) =O if f ¢ P. 

For all properties 1,2 on a domain D and all traces f € X“, we let 
min(D,,®2)(f) = min(®,(f), o(f)) and max(#1,®2)(f) = max(1(f), ®2(f)- 
For a domain D, the inverse of D is the domain D that contains the same el- 
ements as D but with the ordering reversed. For a property ®, we define its 
complement D: ©” + D by ®(f) = D(f) for all f € X”. 

Some properties can be defined as limits of value sequences. A finitary prop- 
erty 7: X* — D associates a value with each finite trace. A value function 
4L: D” — D condenses an infinite sequence of values to a single value. Given a 
finitary property 7, a value function £, and a trace f € XY, we write ¢.~ /7(s) 
instead of &(7(s0)7(s1)...), where each s; fulfills s; < f and |s;| = i. 


3 Quantitative Safety 


Given a property ® : X” > D, a trace f € XY”, and a value v € D, the quanti- 
tative membership problem [18] asks whether (f) > v. We define quantitative 
safety as follows: the property ® is safe iff every wrong hypothesis of the form 
(f) > v has a finite witness s < f. 
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Definition 2 (Safety). A property Ð : ©” — D is safe iff for every f € X” and 
value v € D with O(f) Z v, there is a prefix s < f such that sup eso (sg) Z v. 


Let us illustrate this definition with the minimal response-time property. 


Example 3. Let X = {rq,gr,tk,oo} and D = NU {oo}. We define the minimal 
response-time property min through an auxiliary finitary property nmin that 
computes the minimum response time so far. In a finite or infinite trace, an 
occurrence of rq is granted if it is followed, later, by a gr, and otherwise it is 
pending. Let ™mast(s) = oo if the finite trace s contains a pending rq, or no 
rq, and Mast(s) = |rltx — |tltx otherwise, where r < s is the longest prefix of 
s with a pending rq, and t < r is the longest prefix of r without pending rq. 
Intuitively, wast provides the response time for the last request when all requests 
are granted, and oo when there is a pending request or no request. Given s € X*, 
taking the minimum of the values of Tiast over the prefixes r < s gives us the 
minimum response time so far. Let tmin(s) = min;xs Tlast(r) for all s € X*, and 
Pmin(f) = lims<f Tmin(s) for all f € ©”. The limit always exists because the 
minimum is monotonically decreasing. 

The minimal response-time property is safe. Let f € ©” and v € D such 
that Pmin( f) < v. Then, some prefix s < f contains a rq that is granted after 
u < v ticks, in which case, no matter what happens in the future, the minimal 
response time is guaranteed to be at most u; that is, supye su Pyin(sg) <u <v. 
If you recall from the introduction the ghost monitor that maintains the sup 
of possible prediction values for the minimal response-time property, that value 
is always Tmin; that is, supye su BPmin(sg) = Tmin(s) for all s € X*. Note that 
in the case of minimal response time, the sup of possible prediction values is 
always realizable; that is, for all s € X*, there exists an f € ©” such that 
SUPge se Pmin (sg) = Bmin(s f). 


Remark 4. Quantitative safety generalizes boolean safety. For every boolean 
property P C SX”, the following statements are equivalent: (i) P is safe ac- 
cording to the classical definition [4], (ii) its characteristic property ®p is safe, 
and (iii) for every f € ©” and v € B with @p(f) < v, there exists a prefix s < f 
such that for all g € X”, we have @p(sg) < v. 


We now generalize the notion of safety closure and present an operation that 
makes a property safe by increasing the value of each trace as little as possible. 


Definition 5 (Safety closure). The safety closure of a property ® is the prop- 
erty P* defined by P*( f) = inf sxf supgen« O(sg) for all f € X°. 


We can say the following about the safety closure operation. 
Proposition 6. For every property ® : X} > D, the following statements hold. 


1. D* is safe. 

2. &*(f) > D(F) for all f € X”. 

3. B*(f) = D** (f) for all f € XY. 

4. For every safety property Y : X” > D, if B(f) < W(f) for all f E€ X”, then 
W(g) £ D* (g) for all g € X®. 
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3.1 Alternative Characterizations of Quantitative Safety 


Consider a trace and its prefixes of increasing length. For a given property, 
the ghost monitor from the introduction maintains, for each prefix, the sup of 
possible prediction values, i.e., the least upper bound of the property values 
for all possible infinite continuations. The resulting sequence of monotonically 
decreasing suprema provides an upper bound on the eventual property value. 
Moreover, for some properties, this sequence always converges to the property 
value. If this is the case, then the ghost monitor can always dismiss wrong 
lower-bound hypotheses after finite prefixes, and vice versa. This gives us an 
alternative definition for the safety of quantitative properties which, inspired by 
the notion of Scott continuity, was called continuity [33]. We now believe that 
upper semicontinuity is a more appropriate term, as becomes clear when we 
consider the Cantor topology on XY” and the value domain R U {—oo, +00}. 


Definition 7 (Upper semicontinuity [33]). A property ® is upper semicon- 
tinuous iff P(f) = lims<f supges~ P(sg) for all f € XY. 

We note that the minimal response-time property is upper semicontinuous. 
Example 8. Recall the minimal response-time property min from Example 3. 


For every trace f € X“, the Pmin value is the limit of the mmin values for the 
prefixes of f. Therefore, Pmin is upper semicontinuous. 


In general, a property is safe iff it maps every trace to the limit of the suprema 
of possible prediction values. Moreover, we can also characterize safety properties 
as the properties that are equal to their safety closure. 


Theorem 9. For every property ®, the following statements are equivalent: 
1. @ is safe. 2. B is upper semicontinuous. 3. &(f) = &*(f) for all f € LY. 


3.2 Related Definitions of Quantitative Safety 


In [41], the authors consider the model-checking problem for properties on multi- 
valued truth domains. They introduce the notion of multi-safety through a clo- 
sure operation that coincides with our safety closure. Formally, a property ® is 
multi-safe iff D(f) = &*(f) for every f € X®. It is easy to see the following. 


Proposition 10. For every property B, we have ® is multi-safe iff B is safe. 


Although the two definitions of safety are equivalent, our definition is con- 
sistent with the membership problem for quantitative automata and motivated 
by the monitoring of quantitative properties. 

In [27], the authors extend a refinement of the safety-liveness classification for 
monitoring [43] to richer domains. They introduce the notion of verdict-safety 
through dismissibility of values not less than or equal to the property value. 
Formally, a property ® is verdict-safe iff for every f € XY” and v £ (f), there 
exists a prefix s < f such that for all g € X”, we have (sg) Æ v. 

We demonstrate that verdict-safety is weaker than safety. Moreover, we pro- 
vide a condition under which the two definitions coincide. To achieve this, we 
reason about sets of possible prediction values: for a property @ and s € X*, let 
Prs = {®(sf) | f € 5°}. 
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Lemma 11. A property ® is verdict-safe iff B(f) = sup(lims.f Po,;) for all 
f ex”. 


Notice that ® is safe iff (f) = lim, (sup Pss) for all f € &*. Below we 
describe a property that is verdict-safe but not safe. 


Example 12. Let X = {a,b}. Define & by (f) = 0 if f = a”, and E(f) = |s| 
otherwise, where s < f is the shortest prefix in which b occurs. The property ® 
is verdict-safe. First, observe that D = N U {oo}. Let f € X” and v € D with 
v > D(f). If O(f) > 0, then f contains b, and &(f) = |s| for some s < f in which 
b occurs for the first time. After the prefix s, all g E€ &” yield (sg) = |s|, thus 
all values above |s| are rejected. If ®(f) = 0, then f = a”. Let v € D with v > 0, 
and consider the prefix a” < f. Observe that the set of possible prediction values 
after reading a” is {0,v+1,v+2,...}, therefore a” allows the ghost monitor to 
reject the value v. However, ® is not safe because, although &(a”) = 0, for every 
s < a”, we have supge sw (sg) = 00. 


The separation is due to the fact that, for some finite traces, the sup of 
possible prediction values cannot be realized by any future. Below, we present a 
condition that prevents such cases. 


Definition 13 (Supremum closedness). A property © is sup-closed iff for 
every s E€ X* we have sup Pss € Pes. 


We remark that the minimal response-time property is sup-closed. 


Example 14. The safety property minimal response-time min from Example 3 
is sup-closed. This is because, for every s E€ X*, the continuation gr“ realizes 
the value sup,cs. (sg). 


Recall from the introduction the ghost monitor that maintains the sup of 
possible prediction values. For monitoring sup-closed properties this suffices; 
otherwise the ghost monitor also needs to maintain whether or not the supremum 
of the possible prediction values is realizable by some future continuation. In 
general, we have the following for every sup-closed property. 


Lemma 15. For every sup-closed property ® and for all f € X®, we have 
lim,~,(sup Pss) = sup(lim,~+ Po,s). 


As a consequence of the lemmas above, we get the following. 


Theorem 16. A sup-closed property ® is safe iff B is verdict-safe. 


4 The Quantitative Safety-Progress Hierarchy 


Our quantitative extension of safety closure allows us to build a Borel hierarchy, 
which is a quantitative extension of the boolean safety-progress hierarchy [17]. 
First, we show that safety properties are closed under pairwise min and max. 


Proposition 17. For every value domain D, the set of safety properties over 
is closed under min and max. 
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The boolean safety-progress classification of properties is a Borel hierarchy 
built from the Cantor topology of traces. Safety and co-safety properties lie on 
the first level, respectively corresponding to the closed sets and open sets of 
the topology. The second level is obtained through countable unions and inter- 
sections of properties from the first level: persistence properties are countable 
unions of closed sets, while response properties are countable intersections of 
open sets. We generalize this construction to the quantitative setting. 

In the boolean case, each property class is defined through an operation that 
takes a set S C X* of finite traces and produces a set P C XY of infinite traces. 
For example, to obtain a co-safety property from S C X*, the corresponding 
operation yields SX”. Similarly, we formalize each property class by a value 
function. For this, we define the notion of limit property. 


Definition 18 (Limit property). A property P : X} — D is a limit prop- 
erty iff there exists a finitary property 7 : X* — D and a value function 
L: DY + D such that B(f) = ls.pm(s) for all f € X”. We denote this by 
P = (x, £), and write B(s) instead of n(s). In particular, if B = (n, £), where 
L E€ {inf, sup, lim inf, lim sup}, then ® is an property. 


To account for the value functions that construct the first two levels of the 
safety-progress hierarchy, we start our investigation with inf- and sup-properties 
and later focus on lim inf- and lim sup- properties [18]. 


4.1 Infimum and Supremum Properties 


Let us start with an example by demonstrating that the minimal response-time 
property is an inf-property. 


Example 19. Recall the safety property Pmin of minimal response time from 
Example 3. We can equivalently define Pmin as a limit property by taking the 
finitary property Tiast and the value function inf. As discussed in Example 3, 
the function Tiast outputs the response time for the last request when all re- 
quests are granted, and oo when there is a pending request or no request. Then 
inf sf Mast(s) = Pmin(f) for all f € X”, and therefore Onin = (Mast, inf). 


In fact, the safety properties coincide with inf-properties. 
Theorem 20. A property ® is safe iff B is an inf-property. 


Defining the minimal response-time property as a limit property, we observe 
the following relation between its behavior on finite traces and infinite traces. 


Example 21. Consider the property Pmin = (Tast, inf) from Example 19. Let 
f € X” and v € D. Observe that if the minimal response time of f is at least v, 
then the last response time for each prefix s < f is also at least v. Conversely, if 
the minimal response time of f is below v, then there is a prefix s < f for which 
the last response time is also below v. 


In light of this observation, we provide another characterization of safety 
properties, explicitly relating the specified behavior of the limit property on 
finite and infinite traces. 
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Theorem 22. A property ® : 3” — D is safe iff ® is a limit property such that 
for every f € XY” and value v € D, we have ®(f) > v iff B(s) >v foralls < f. 


Recall that a safety property allows rejecting wrong lower-bound hypotheses 
with a finite witness, by assigning a tight upper bound to each trace. We de- 
fine co-safety properties symmetrically: a property ® is co-safe iff every wrong 
hypothesis of the form (f) < v has a finite witness s < f. 


Definition 23 (Co-safety). A property ® : X” — D is co-safe iff for every 
f € X” and value v € D with B(f) £ v, there exists a prefix s < f such that 
infge ye B(sg) £ v. 

We note that our definition generalizes boolean co-safety, and thus a dual of 


Remark 4 holds also for co-safety. Moreover, we analogously define the notions 
of co-safety closure and lower semicontinuity. 


Definition 24 (Co-safety closure). The co-safety closure of a property ® is 
the property ®,(f) defined by %,(f) = sup,.pinfgex~ O(sg) for all f € X”. 


Definition 25 (Lower semicontinuity [33]). A property ® is lower semicon- 
tinuous iff (f) = lim. infyese &(sg) for all f € X”. 


Now, we define and investigate the maximal response-time property. In partic- 
ular, we show that it is a sup-property that is co-safe and lower semicontinuous. 


Example 26. Let X = {rq, gr, tk,oo} and D = NU {oo}. We define the maximal 
response-time property Pmax through a finitary property that computes the cur- 
rent response time for each finite trace and the value function sup. In particular, 
for all s € X*, let teurr(s) = |Sltx — |r|tx, where r < s is the longest prefix of s 
without pending rq; then Pmax = (Teurr, Sup). Note the contrast between Teurr 
and Tast from Example 3. While Teurr takes an optimistic view of the future 
and assumes the gr will follow immediately, mast takes a pessimistic view and 
assumes the gr will never follow. Let f € X* and v € D. If the maximal response 
time of f is greater than v, then for some prefix s < f the current response time 
is greater than v also, which means that, no matter what happens in the future, 
the maximal response time is greater than v after observing s. Therefore, Pmax 
is co-safe. By a similar reasoning, the sequence of greatest lower bounds of pos- 
sible prediction values over the prefixes converges to the property value. In other 
words, we have lim, infgexe ®max(sg) = @max(f) for all f € LY. Thus Pmax 
is also lower semicontinuous, and it equals its co-safety closure. Now, consider 
the complementary property max, which maps every trace to the same value 
as Pmax on a domain where the order is reversed. It is easy to see that Pmax is 
safe. Finally, recall the ghost monitor from the introduction, which maintains 
the infimum of possible prediction values for the maximal response-time prop- 
erty. Since the maximal response-time property is inf-closed, the output of the 
ghost monitor after every prefix is realizable by some future continuation, and 
that output is Tmax(s) = MaX,xs Tcurr(r) for all s € X*. 


Generalizing the observations in the example above, we obtain the following 
characterizations due to the duality between safety and co-safety. 
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Theorem 27. For every property ® : X” —> D, the following are equivalent. 


® is co-safe. 

® is lower semicontinuous. 

D(F) = &,(f) for every f E€ XY. 

. Ð is a sup-property. 

® is a limit property such that for every f E€ X® and value v € D, we have 
D(f) <v iff B(s) < v for all s = f. 

6. B is safe. 


as ws 


4.2 Limit Inferior and Limit Superior Properties 
Let us start with an observation on the minimal response-time property. 


Example 28. Recall once again the minimal response-time property min from 
Example 3. In the previous subsection, we presented an alternative definition of 
min to establish that it is an inf-property. Observe that there is yet another 
equivalent definition of Pmin which takes the monotonically decreasing finitary 
property Tmin from Example 3 and pairs it with either the value function lim inf, 
or with lim sup. Hence min is both a lim inf- and a lim sup-property. 


Before moving on to investigating lim inf- and lim sup-properties more closely, 
we show that the above observation can be generalized. 


Theorem 29. Every ¢-property ®, for L € {inf,sup}, is both a liminf- and a 
lim sup-property. 


An interesting response-time property beyond safety and co-safety arises 
when we remove extreme values: instead of minimal response time, consider 
the property that maps every trace to a value that bounds from below, not all 
response times, but all of them from a point onward (i.e., all but finitely many). 
We call this property tail-minimal response time. 


Example 30. Let X = {rq,gr,tk,oo} and mas_ be the finitary property from 
Example 3 that computes the last response time. We define the tail-minimal 
response-time property as Dimin = (Mast, lim inf). Intuitively, it maps each trace 
to the least response time over all but finitely many requests. This property 
is interesting as a performance measure, because it focuses on the long-term 
performance by ignoring finitely many outliers. Consider f € X“ and v € D. 
Observe that, if the tail-minimal response time of f is at least v, then there is 
a prefix s < f such that for all longer prefixes s < r < f, the last response time 
in r is at least v, and vice versa. 


Similarly as for inf-properties, we characterize lim inf-properties through a 
relation between property behaviors on finite and infinite traces. 


Theorem 31. A property B : XY — D is a liminf-property iff ® is a limit 
property such that for every f E€ X” and value v € D, we have ®(f) > v iff there 
exists s < f such that for alls <r < f, we have P(r) > v. 


Now, we show that the tail-minimal response-time property can be expressed 
as a countable supremum of inf-properties. 
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Example 32. Let i € N and define 7; last as a finitary property that imitates 
Mast from Example 3, but ignores the first i observations of every finite trace. 
Formally, for s € X*, we define Ti Jast(s) = Mast(r) for s = sir where s; < s 
with |s;| = i, and r € X*. Observe that an equivalent way to define Ptmin from 
Example 30 is supjey(infsy(Tast(s))) for all f € ©”. Intuitively, for each 
i € N, we obtain an inf-property that computes the minimal response time of 
the suffixes of a given trace. Taking the supremum over these, we obtain the 
greatest lower bound on all but finitely many response times. 


We generalize this observation and show that every liminf-property is a 
countable supremum of inf-properties. 


Theorem 33. Every lim inf-property is a countable supremum of inf-properties. 


We would also like to have the converse of Theorem 33, i.e., that every 
countable supremum of inf-properties is a liminf-property. Currently, we are 
able to show only the following. 


Theorem 34. For every infinite sequence (®;)ien of inf-properties, there is a 
lim inf-property ® such that sup;en Pil f) < (F). 


We conjecture that some liminf-property that satisfies Theorem 34 is also 
a lower bound on the countable supremum that occurs in the theorem. This, 
together with Theorem 34, would imply the converse of Theorem 33. Proving 
the converse of Theorem 33 would give us, thanks to the following duality, that 
the liminf- and limsup-properties characterize the second level of the Borel 
hierarchy of the topology induced by the safety closure operator. 


Proposition 35. A property © is a liminf-property iff its complement ® is a 
lim sup-property. 


5 Quantitative Liveness 


Similarly as for safety, we take the perspective of the quantitative membership 
problem to define liveness: a property @ is live iff, whenever a property value is 
less than T, there exists a value v for which the wrong hypothesis &(f) > v can 
never be dismissed by any finite witness s < f. 


Definition 36 (Liveness). A property 6: X° +> D is live iff for all f € XY, 
if ®(f) < T, then there exists a value v € D such that &(f) Ž v and for all 
prefixes s < f, we have supge sy» (sg) > v. 


An equivalent definition can be given through the safety closure. 


Theorem 37. A property Ð is live iff ®*(f) > ®(f) for every f € X” with 
Pf) <T. 


Our definition generalizes boolean liveness. A boolean property P C X™ is 
live according to the classical definition [4] iff its characteristic property ®p is 
live according to our definition. Moreover, the intersection of safety and liveness 
contains only the single degenerate property that always outputs T. 
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Proposition 38. A property ® is safe and live iff B(f) =T for all f € XY. 


We define co-liveness symmetrically, and note that the duals of the observa- 
tions above also hold for co-liveness. 


Definition 39 (Co-liveness). A property 6: ©” — D is co-live iff for all 
f EX”, if B(f) > L, then there exists a value v € D such that D(f) £ v and 
for all prefixes s < f, we have infge so (sg) < v. 


Next, we present some examples of liveness and co-liveness properties. We 
start by showing that lim inf- and lim sup-properties can be live and co-live. 


Example 40. Let X = {a,b} be an alphabet, and let P = Oa and Q = 90b be 
boolean properties defined in linear temporal logic. Consider their characteristic 
properties ®p and &g. As we pointed out earlier, our definitions generalize their 
boolean counterparts, therefore Pp and PQ are both live and co-live. Moreover, 
®p is a limsup-property: define mp(s) = 1 if s € X*a, and 7p(s) = 0 otherwise, 
and observe that p(f) = limsup,.; 7p(s) for all f € X”. Similarly, Sg is a 
lim inf-property. 


Now, we show that the maximal response-time property is live, and the min- 
imal response time is co-live. 


Example 41. Recall the co-safety property Pmax of maximal response time from 
Example 26. Let f € ©” such that Pmax( f) < co. We can extend every prefix 
s < f with g = rqtk”, which gives us ®max(sg) = co > (f). Equivalently, 
for every f € XY, we have ®*,.(f) = œ > ®nax(f). Hence Pmax is live and, 
analogously, the safety property min from Example 3 is co-live. 


Finally, we show that the average response-time property is live and co-live. 


Example 42. Let X = {rq,gr,tk,oo}. For all s € X*, let p(s) = 1 if there is 
no pending rq in s, and p(s) = 0 otherwise. Define tyalia(s) = Hr < s | 3t € 
X* : r = trq A p(t) = 1}| as the number of valid requests in s, and define 
Ttime(S) as the number of tk observations that occur after a valid rq and before 


Ttime(S) 
Fa) for all 


the matching gr. Then, ®ayg = (Tavg, liminf), where Tayg(s) = 
s € X* with ayatia(s) > 0, and Tavg(s) = oo otherwise. For example, Tayg(s) = § 
for s =rqtkgrtkrqtkrqtk. Note that Pavg is a lim inf-property. 

The property avg is defined on the value domain [0, oo] and is both live and 
co-live. To see this, let f € XY such that 0 < Pavg( f) < oo and, for every prefix 
s < f, consider g = rqtk” and h = gr (rqgr)”. Since sg has a pending request 
followed by infinitely many clock ticks, we have ®ayg(sg) = oo. Similarly, since 
sh eventually has all new requests immediately granted, we get Pavg(sh) = 0. 


5.1 The Quantitative Safety-Liveness Decomposition 


A celebrated theorem states that every boolean property can be expressed as an 
intersection of a safety property and a liveness property [4]. In this section, we 
prove the analogous result for the quantitative setting. 
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Example 43. Let X = {rq, gr, tk, oo}. Recall the maximal response-time prop- 
erty Pmax from Example 26, and the average response-time property Pavg from 
Example 42. Let n > 0 be an integer and define a new property ® by (f) = 
Pave(f) if Pmax(f) < n, and &(f) = 0 otherwise. For the safety closure of 9, 
we have &*(f) = n if ®nax(f) < n, and &*(f) = 0 otherwise. Now, we further 
define Y(f) = ®ave(f) if Pmax(f) < n, and (f) =n otherwise. Observe that Y 
is live, because every prefix of a trace whose value is less than n can be extended 
to a greater value. Finally, note that for all f € ©”, we can express &(f) as 
the pointwise minimum of &*(f) and W(f). Intuitively, the safety part &* of 
this decomposition checks whether the maximal response time stays below the 
permitted bound, and the liveness part W keeps track of the average response 
time as long as the bound is satisfied. 


Following a similar construction, we show that a safety-liveness decomposi- 
tion exists for every property. 


Theorem 44. For every property ®, there exists a liveness property VW such that 
D(f) = min(@*(f),W(f)) for all f € X”. 


In particular, if the given property is safe or live, the decomposition is trivial. 


Remark 45. Let ® be a property. If ® is safe (resp. live), then the safety (resp. 
liveness) part of the decomposition is ® itself, and the liveness (resp. safety) part 
is the constant property that maps every trace to T. 


For co-safety and co-liveness, the duals of Theorem 44 and Remark 45 hold. 
In particular, every property is the pointwise maximum of its co-safety closure 
and a co-liveness property. 


5.2 Related Definitions of Quantitative Liveness 


In [41], the authors define a property ® as multi-live iff @*(f) > L for all 
f € X”. We show that our definition is more restrictive, resulting in fewer 
liveness properties while still allowing a safety-liveness decomposition. 


Proposition 46. Every live property is multi-live, and the inclusion is strict. 
We provide a separating example on a totally ordered domain below. 


Example 47. Let X = {a,b,c}, and consider the following property: (f) = 0 if 
f = Oa, and &(f) = 1 if f | Oc, and (f) = 2 otherwise (i-e., if f EF ObAD-c). 
For all f € ©“ and prefixes s < f, we have &(sc”) = 1. Thus &*(f) 4 L, which 
implies that ® is multi-live. However, ® is not live. Indeed, for every f € X“ 
such that f = Oc, we have &(f) = 1 < T. Moreover, f admits some prefix s 
that contains an occurrence of c, thus satisfying sup ese &(sg) = 1. 


In [27], the authors define a property ® as verdict-live iff for every f € XY 
and value v £ (f), every prefix s < f satisfies B(sg) = v for some g € XY”. We 
show that our definition is more liberal. 


364 T. A. Henzinger et al. 
Proposition 48. Every verdict-live property is live, and the inclusion is strict. 


We provide a separating example below, concluding that our definition is 
strictly more general even for totally ordered domains. 


Example 49. Let X = {a,b}, and consider the following property: &(f) = 0 if 
f A Ob, and (f) = 1 if f H O(bA OOd), and &(f) = 27!*! otherwise, where 
s < f is the shortest prefix in which b occurs. Consider an arbitrary f € X“. 
If (f) = 1, then the liveness condition is vacuously satisfied. If &(f) = 0, then 
f = a”, and every prefix s < f can be extended with g = ba” or h = b” to obtain 
@(sg) = 2-“IsI+D and @(sh) = 1. If 0 < (f) < 1, then f satisfies Ob but not 
>(bAC Ob), and every prefix s < f can be extended with b” to obtain &(sb”) = 1. 
Hence @ is live. However, ® is not verdict-live. To see this, consider the trace 
f = a*ba” for some integer k > 1 and note that (f) = 2-%+., Although all 
prefixes of f can be extended to reach the value 1, the value domain contains 
elements between (f) and 1, namely the values 2~™ for 1 < m < k. Each of 
these values can be rejected after reading a finite prefix of f, because for n > m 
it is not possible to extend a” to reach the value 27%., 


6 Approximate Monitoring through Approximate Safety 


In this section, we consider properties on extended reals Rt = RU {—co, +00}. 
We denote by R>o the set of nonnegative real numbers. 


Definition 50 (Approximate safety and co-safety). Let a € Rso. A prop- 
erty ® is a-safe iff for every f E ©” and value v E€ R**° with B(f) < v, there 
exists a prefix s < f such that SUP ese (sg) < v +a. Similarly, P is a-co-safe 
iff for every f E XY and v E R*™ with B(f) > v, there exists s < f such that 
infyexw P(sg) > v— a. When © is a-safe (resp. a-co-safe) for some a € Rso, 
we say that ® is approximately safe (resp. approximately co-safe). 


Approximate safety can be characterized through the following relation with 
the safety closure. 


Proposition 51. For every error bound a € Rso, a property ® is a-safe iff 
&*(f) — Pf) <a for all f € LY. 


An analogue of Proposition 51 holds for approximate co-safety and the co- 
safety closure. Moreover, approximate safety and approximate co-safety are dual 
notions that are connected by the complement operation, similarly to their pre- 
cise counterparts (Theorem 27). 


6.1 The Intersection of Approximate Safety and Co-safety 


Recall the ghost monitor from the introduction. If, after a finite number of obser- 
vations, all the possible prediction values are close enough, then we can simply 
freeze the current value and achieve a sufficiently small error. This happens for 
properties that are both approximately safe and approximately co-safe, general- 
izing the unfolding approximation of discounted properties [13]. 
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Proposition 52. For every limit property ® and all error bounds a, 8 € Rso, 
if ® is a-safe and B-co-safe, then the set Ss = {s € &* | sup, es» O(sri) — 
inf,,ex* P(srg) > ô} is finite for all reals 6 > a+ b. 


Based on this proposition, we show that, for limit properties that are both 
approximately safe and approximately co-safe, the influence of the suffix on the 
property value is eventually negligible. 


Theorem 53. For every limit property ® such that D(f) E€ R for all f € XY, 
and for all error bounds a, B € Rso, if P is a-safe and B-co-safe, then for every 
real ô > a+ and trace f E€ XY, there is a prefix s < f such that for all 
continuations w E€ X* UL”, we have |P(sw) — &(s)| < ô. 


We illustrate this theorem with a discounted safety property. 


Example 54. Let P C XY be a boolean safety property. We define the finitary 
property mp : X* — [0,1] as follows: mp(s) = 1 if sf € P for some f € X®, 
and p(s) = 1—27'"! otherwise, where r < s is the shortest prefix with rf ¢ P 
for all f € X“. The limit property ® = (mp, inf) is called discounted safety [3]. 
Because @ is an inf-property, it is safe by Theorem 20. Now consider the finitary 
property Tp defined by 7,(s) = 1 — 27lsl if sf € P for some f € X”, and 
t'p(s) = 1—27!"! otherwise, where r < s is the shortest prefix with rf ¢ P for 
all f € X”. Let & = (7b,sup), and note that &(f) = P'(f) for all f e XY. 
Hence @ is also co-safe, because it is a sup-property. 

Let f € X“ and 6 > 0. For every prefix s < f, the set of possible prediction 
values is either the range [1 — 27!s!,1] or the singleton {1 — 2—!"!}, where r = s 
is chosen as above. In the latter case, we have |®(sw) — (s)| = 0 < 6 for all 
w E X* US”. In the former case, since the range becomes smaller as the prefix 
grows, there is a prefix s’ < f with 2715] < 6, which yields |®(s’w) — (s’)| < 5 
for all w € Y* UL”. 


6.2 Finite-state Approximate Monitoring 


Monitors with finite state spaces are particularly desirable, because finite au- 
tomata enjoy a plethora of desirable closure and decidability properties. Here, 
we prove that properties that are both approximately safe and approximately 
co-safe can be monitored approximately by a finite-state monitor. First, we recall 
the notion of abstract quantitative monitor from [30]. 

A binary relation ~ over X* is an equivalence relation iff it is reflexive, 
symmetric, and transitive. Such a relation is right-monotonic iff sı ~ s2 implies 
sir ~ sor for all 51, 52,r € X*. For an equivalence relation ~ over X* and a finite 
trace s E€ X*, we write [s]. for the equivalence class of ~ to which s belongs. 
When ~ is clear from the context, we write [s] instead. We denote by X*/~ the 
quotient of the relation ~. 


Definition 55 (Abstract monitor [30]). An abstract monitor M = (~,7) 
is a pair consisting of a right-monotonic equivalence relation ~ on X* and a 
function y: (X*/ ~) + R*°. The monitor M is finite-state iff the relation 
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~ has finitely many equivalence classes. Let dgn,Oim E R be error bounds. 
We say that M is a (dgn, Ôlim)-monitor for a given limit property ® = (n, £) iff 
for all s € &* and f € X”, we have |r(s) — ¥([s])| < dfn and |€s<¢(a(s)) — 
ls¢(V([s]))| < dim- 


Building on Theorem 53, we identify a sufficient condition to guarantee the 
existence of an abstract monitor with finitely many equivalence classes. 


Theorem 56. For every limit property ® such that ®(f) € R for all f € XY, 
and for all error bounds a, B € Rso, if P is a-safe and B-co-safe, then for every 
real ô > a+ b, there exists a finite-state (0,5)-monitor for Ð. 


Due to Theorem 56, the discounted safety property of Example 54 has a 
finite-state monitor for every positive error bound. We remark that Theorem 56 
is proved by a construction that generalizes the unfolding approach for the ap- 
proximate determinization of discounted automata [12], which unfolds an au- 
tomaton until the distance constraint is satisfied. 


7 Conclusion 


We presented a generalization of safety and liveness that lifts the safety-progress 
hierarchy to the quantitative setting of [18] while preserving major desirable 
features of the boolean setting, such as the safety-liveness decomposition. 

Monitorability identifies a boundary separating properties that can be ver- 
ified or falsified from a finite number of observations, from those that cannot. 
Safety-liveness and co-safety-co-liveness decompositions allow us separate, for an 
individual property, monitorable parts from nonmonitorable parts. The larger 
the monitorable parts of the given property, the stronger the decomposition. 
We provided the strongest known safety-liveness decomposition, which consists 
of a pointwise minimum between a safe part defined by a quantitative safety 
closure, and a live part which corrects for the difference. We then defined ap- 
proximate safety as the relaxation of safety by a parametric error bound. This 
further increases the monitorability of properties and offers monitorability at a 
parametric cost. In fact, we showed that every property that is both approx- 
imately safe and approximately co-safe can be monitored arbitrarily precisely 
by a finite-state monitor. A future direction is to extend our decomposition to 
approximate safety together with a support for quantitative assumptions [32]. 

The literature contains efficient model-checking procedures that leverage the 
boolean safety hypothesis [36,40]. We thus expect that also quantitative safety 
and co-safety, and their approximations, enable efficient verification algorithms 
for quantitative properties. 
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Abstract. We look into the problems of comparing nondeterministic 
discounted-sum automata on finite and infinite words. That is, the prob- 
lems of checking for automata A and B whether or not it holds that for 
all words w, A(w) = B(w), A(w) < B(w), or A(w) < B(w). 

These problems are known to be decidable when both automata have 
the same single integral discount factor, while decidability is open in all 
other settings: when the single discount factor is a non-integral rational; 
when each automaton can have multiple discount factors; and even when 
each has a single integral discount factor, but the two are different. 

We show that it is undecidable to compare discounted-sum automata 
with multiple discount factors, even if all are integrals, while it is de- 
cidable to compare them if each has a single, possibly different, integral 
discount factor. To this end, we also provide algorithms to check for 
given nondeterministic automaton M and deterministic automaton D, 
each with a single, possibly different, rational discount factor, whether 
or not N(w) = D(w), N(w) > D(w), or N(w) > D(w) for all words w. 


Keywords: Discounted-sum Automata - Comparison - Containment 


1 Introduction 


Equivalence and containment checks of Boolean automata, namely the checks of 
whether L(A) = L(B), L(A) C L(B), or L(A) c L(B), where L(A) and L(B) are 
the languages that A and B recognize, are central in the usage of automata theory 
in diverse areas, and in particular in formal verification (e.g, [34,26,17,33,35,28]). 
Likewise, comparison of quantitative automata, which extends the equivalence 
and containment checks by asking whether A(w) = B(w), whether A(w) < 
B(w), or whether A(w) < B(w) for all words w, are essential for harnessing 
quantitative-automata theory to the service of diverse fields and in particular to 
the service of quantitative formal verification (e.g, [15,14,21,11,27,3,5,22]). 
Discounted summation is a common valuation function in quantitative au- 
tomata theory (e.g, [19,12,14,15]), as well as in various other computational mod- 
els, such as games (e.g., [37,4,1]), Markov decision processes (e.g, [23,29,16]), and 
reinforcement learning (e.g, [32,36]), as it formalizes the concept that an imme- 
diate reward is better than a potential one in the far future, as well as that a 
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potential problem (such as a bug in a reactive system) in the far future is less 
troubling than a current one. 


A nondeterministic discounted-sum automaton (NDA) has rational weights 
on the transitions, and a fixed rational discount factor A > 1. The value of 
a (finite or infinite) run is the discounted summation of the weights on the 
transitions, such that the weight in the ith transition of the run is divided by 
Xd’. The value of a (finite or infinite) word is the infimum value of the automaton 
runs on it. An NDA thus realizes a function from words to real numbers. 

NDAs cannot always be determinized [15], they are not closed under basic 
algebraic operations [8], and their comparison is not known to be decidable, 
relating to various longstanding open problems [9]. However, restricting NDAs 
to have an integral discount factor A € N \ {0,1} provides a robust class of 
automata that is closed under determinization and under algebraic operations, 
and for which comparison is decidable [8]. 

Various variants of NDAs are studied in the literature, among which are 
functional, k-valued, probabilistic, and more [21,20,13]. Yet, until recently, all of 
these models were restricted to have a single discount factor. This is a signifi- 
cant restriction of the general discounted-summation paradigm, in which multi- 
ple discount factors are considered. For example, Markov decision processes and 
discounted-sum games allow multiple discount factors within the same entity 
[23,4]. In [6], NDAs were extended to NMDAs, allowing for multiple discount 
factors, where each transition can have a different one. Special attention was 
given to integral NMDAs, namely to those with only integral discount factors, 
analyzing whether they preserve the good properties of integral NDAs. It was 
shown that they are generally not closed under determinization and under alge- 
braic operations, while a restricted class of them, named tidy-NMDAs, in which 
the choice of discount factors depends on the prefix of the word read so far, does 
preserve the good properties of integral NDAs. 


While comparison of tidy-NMDAs with the same choice function is decidable 
in PSPACE [6], it was left open whether comparison of general integral NUDAs 
A and B is decidable. It is even open whether comparison of two integral NDAs 
with different (single) discount factors is decidable. 


We show that it is undecidable to resolve for given NMDA M and determinis- 
tic NMDA (DMDA) D, even if both have only integral discount factors, on both 
finite and infinite words, whether M = D and whether M < D, and on finite 
words also whether M < D. We prove the undecidability result by reduction from 
the halting problem of two-counter machines. The general scheme follows similar 
reductions, such as in [18,2], yet the crux is in simulating a counter by integral 
NMDAs. Upfront, discounted summation is not suitable for simulating counters, 
since a current increment has, in the discounted setting, a much higher influence 
than of a far-away decrement. However, we show that multiple discount factors 
allow in a sense to eliminate the influence of time, having automata in which 
no matter where a letter appears in the word, it will have the same influence 
on the automaton value. (See Lemma 1 and Fig. 3). Another main part of the 
proof is in showing how to nondeterministically adjust the automaton weights 
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and discount factors in order to “detect” whether a counter is at a current value 
0. (See Figs. 5, 6, 8 and 9.) 

On the positive side, we provide algorithms to decide for given NDA N and 
deterministic NDA (DDA) D, with arbitrary, possibly different, rational discount 
factors, whether N = D, N > D, or N > D (Theorem 4). Our algorithms 
work on both finite and infinite words, and run in PSPACE when the automata 
weights are represented in binary and their discount factors in unary. Since 
integral NDAs can always be determinized [8], our method also provides an 
algorithm to compare two integral NDAs, though not necessarily in PSPACE, 
since determinization might exponentially increase the number of states. (Even 
though determinization of NDAs is in PSPACE [8,6], the exponential number of 
states might require an exponential space in our algorithms of comparing NDAs 
with different discount factors.) 

The challenge with comparing automata with different discount factors comes 
from the combination of their different accumulations, which tends to be in- 
tractable, resulting in the undecidability of comparing integral NMDAs, and in 
the open problems of comparing rational NDAs and of analyzing the represen- 
tation of numbers in a non-integral basis [30,24,25,9]. Yet, the main observation 
underlying our algorithm is that when each automaton has a single discount fac- 
tor, we may unfold the combination of their computation trees only up to some 
level k, after which we can analyze their continuation separately, first handling 
the automaton with the lower (slower decreasing) discount factor and then the 
other one. The idea is that after level k, since the accumulated discounting of the 
second automaton is already much more significant, even a single non-optimal 
transition of the first automaton cannot be compensated by a continuation that 
is better with respect to the second automaton. We thus compute the optimal 
suffix words and runs of the first automaton from level k, on top which we 
compute the optimal runs of the second automaton. 


2 Preliminaries 


Words. An alphabet X is an arbitrary finite set, and a word over X is a finite 
or infinite sequence of letters in X, with £ for the empty word. We denote the 
concatenation of a finite word u and a finite or infinite word w by u-w, or simply 
by uw. We define XF to be the set of all finite words except the empty word, i.e., 
X+ = Y*\{e}. For a word w = 090102 --+ and indexes i < j, we denote the letter 
at index i as w|i] = ci, and the sub-word from i to j as wļi..j] = oi0141-++ 07. 
For a finite word w and letter o € X, we denote the number of occurrences 
of o in w by #(a,w), and for a set S C X, we denote $ es #(0, w) by #(S, w). 
For a finite or infinite word w and a letter o € X, we define the prefix of 
w up to o, PREF,(w), as the minimal prefix of w that contains a ø letter if 
there is a ø letter in w or w itself if it does not contain any ø letters. Formally, 


PREF, (w) = 


w[0..min{i | wļi] =o}] Ai | wļi] =o 


w otherwise 
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Automata. A nondeterministic discounted-sum automaton (NDA) [15] is an au- 
tomaton with rational weights on the transitions, and a fixed rational discount 
factor A > 1. A nondeterministic discounted-sum automaton with multiple dis- 
count factors (NMDA) [6] is similar to an NDA, but with possibly a different 
discount factor on each of its transitions. They are formally defined as follows: 


Definition 1 ([6]). A nondeterministic discounted-sum automaton with mul- 
tiple discount factors (NMDA), on finite or infinite words, is a tuple A = 
(27,Q,0,6,7,p) over an alphabet X, with a finite set of states Q, an initial set of 
states ı C Q, a transition function 6 C Qx X x Q, a weight function y : ô > Q, 
and a discount-factor function p : 6 > QN (1,00), assigning to each transition 
its discount factor, which is a rational greater than one. | 


— Arun of A is a sequence of states and alphabet letters, po, C0, p1, 01, P2;°°* 5 
such that po € ı is an initial state, and for every i, (Pi, Oi, Pi+1) € Ô. 

— The length of a run r, denoted by |r|, is n for a finite run r = po, oo, pı, 

,On—1; Pn; and œ for an infinite run. 

— For an indexi < |r|, we define the i-th transition of r as r|i] = (pi, Ci, Pi+1), 

and the prefix run with i transitions as r|0..i] = po, do, P1,*** , Ci, Pi+1- 

ap ; |r|—1 i-l 4 
The value of a finite/infinite run r is A(r) = Xio (. (r[i])) ITj=0 an) 
For example, the value of the run rı = qo,@,90,4,9,0,q2 of A from Fig. 1 
is Arı) =14+ 5-5 +2-545 = 2. 

— The value of A on a finite or infinite word w is 
A(w) = inf{A(r) | r is a run of A on wh. 

— For every finite run r = po,00,P1,°'* ;On—-1;Pn; we define the target state 
as 0(r) = pn and the accumulated discount factor as p(r) = fe p(r[i])). 

— When all discount factors are integers, we say that A is an integral NMDA. 

— In the case where |t| = 1 and for every q E Q ando € X, we have 
Hg | (q,0,q') E ô}| < 1, we say that A is deterministic, denoted by DMDA, 
and view ô as a function from words to states. 

— When the discount factor function p is constant, p = A E€ QN (1,00), we say 
that A is a nondeterministic discounted-sum automaton (NDA) /15] with 
discount factor A (a A-NDA). If A is deterministic, it is a X-DDA. 

— For a state q € Q, we write A? for the NMDA A! = (X, Q,{4},8, y, p). 


Counter machines. A two-counter machine [31] M is a sequence (l1,...,ln) 
of commands, for some n € N, involving two counters x and y. We refer to 
{1,...,n} as the locations of the machine. For every i € {1,...,n } we refer to 
lı as the command in location i. There are five possible forms of commands: 


INC(c), DEC(c), GOTO lk, IF c=0 GOTO I, ELSE GOTO lw, HALT, 


where c € { x,y } is a counter and 1 < k,k’ < n are locations. For not decreasing 
a zero-valued counter c € {x,y}, every DEC(c) command is preceded by the 


1 Discount factors are sometimes defined as numbers between 0 and 1, under which 
setting weights are multiplied by these factors rather than divided by them. 
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1 
a, 5,2 


? a, + 
4 
b12 


Fig. 1. An NMDA A. The labeling on the transitions indicate the alphabet letter, the 
weight of the transition, and its discount factor. 


command IF c=0 GOTO <CURRENT_LINE> ELSE GOTO <NEXT_LINE>, and 
there are no other direct goto-commands to it. The counters are initially set to 
0. An example of a two-counter machine is given in Fig. 2. 


l. INc(z) 

Ig. INC(x) 

l3. IF c=0 GOTO l3 ELSE GOTO l4 
l4. DEC(z) 

l5. IF c=0 GOTO Ig ELSE GOTO l3 
lg. HALT 


Fig. 2. An example of a two-counter machine. 


Let L be the set of possible commands in M, then a run of M is a sequence 
p = 1,.--;Um E (L x N x N)* such that the following hold: 


1. pı = (11, 0, 0). 
2. For all 1 <i < m, let Wi-1 = (lj, ax, Qy) and Y; = (l, a,, ay). Then, the 
following hold. 
— If 1; is an INC(z) command (resp. INC(y)), then a, = @ +1, a, = Qy 
(resp. ty = ay + leo, = Qz), and l’ = lj41. 
— If lj is DEC(x) (resp. DEC(y)) then a/, = a, — 1, a} = ay (resp. ay = 
ay — 1, af, = @z), and I! = 1541. 


— If lj is GOTO I, then a’, = ag, a’, 


y = Qy, and I! = Ix. 


— If lj is IF e=0 GOTO lų ELSE GOTO lą then a’, = az, a, = ay, and 
l = lk if ag = 0, and l’ = ly, otherwise. 
— If l} is IF y=0 GOTO lk ELSE GOTO Ix, then a, = Qs, a, = Qy, and 


U = lp if a, = 0, and l’ = l otherwise. 
— Ifl’ is HALT then i = m, namely a run does not continue after HALT. 


If, in addition, we have that Ym = (lj, &x, @y) such that lj is a HALT command, 
we say that w is a halting run. We say that a machine M 0-halts if its run is 
halting and ends in (7,0,0). We say that a sequence of commands T € L* fits a 
run w, if 7 is the projection of ~ on its first component. 

The command trace 7 = 01, . . . , Om of a halting run Y = w1,..., Wm describes 
the flow of the run, including a description of whether a counter c was equal 
to 0 or larger than 0 in each occurrence of an IF c=0 GOTO lk ELSE GOTO lx: 
command. It is formally defined as follows. om = HALT and for every 1 < i < m, 
we define o;_; according to ~;_1 = (lj, Qx, Qy) in the following manner: 
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— o4-1 =I, if 1, is not of the form IF c=0 GOTO I, ELSE GOTO ly. 

— oj-1 = (GOTO kk,c = 0) for c € {x,y}, if a. = 0 and the command l; is of 
the form IF c=0 GOTO I; ELSE GOTO lyw. 

— o;-1 = (GOTO Ix,c > 0) for c € {x,y}, if a, > 0 and the command l; is of 
the form IF c=0 GOTO I, ELSE GOTO lw. 


For example, the command trace of the halting run of the machine in Fig. 2 is 
INC(x), INC(x), (GOTO l4, x > 0), DEC(x), (GOTO I3,x > 0), (GOTO l4,x > 0), 
DEC(x), (GOTO le, x = 0), HALT. 

Deciding whether a given counter machine M halts is known to be undecid- 
able [31]. Deciding whether M halts with both counters having value 0, termed 
the 0-halting problem, is also undecidable. Indeed, the halting problem can be 
reduced to the latter by adding some commands that clear the counters, before 
every HALT command. 


3 Comparison of NMDAs 


We show that comparison of (integral) NMDAs is undecidable by reduction from 
the halting problem of two-counter machines. Notice that our NMDAs only use 
integral discount factors, while they do have non-integral weights. Yet, weights 
can be easily changed to integers as well, by multiplying them all by a common 
denominator and making the corresponding adjustments in the calculations. 

We start with a lemma on the accumulated value of certain series of discount 
factors and weights. Observe that by the lemma, no matter where the pair of 
discount-factor A € N \ {0,1} and weight w = 4;+ appear along the run, they 
will have the same effect on the accumulated value. This property will play a 
key role in simulating counting by NMDAs. 


Lemma 1. For every sequence \1,--- , Àm of integers larger than 1 and weights 
— A»AW-1 m i—l 1 — 1 
W1, Wm such that w; = =, we have X`; (w;- ja x) =1 m 


The proof is by induction on m and appears in [7]. 


3.1 The Reduction 


We turn to our reduction from the halting problem of two-counter machines 
to the problem of NMDA containment. We provide the construction and the 
correctness lemma with respect to automata on finite words, and then show in 
Section 3.2 how to use the same construction also for automata on infinite words. 

Given a two-counter machine M with the commands (I1,...,Jn), we con- 
struct an integral DMDA A and an integral NMDA B on finite words, such that 
M 0-halts iff there exists a word w € X*+ such that B(w) > A(w) iff there exists 
a word w € X*+ such that B(w) > A(w). 
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The automata A and B operate over the following alphabet X, which consists 
of 5n + 5 letters, standing for the possible elements in a command trace of M: 


SINCDEC _ { no(x), DEC(x), INC(y), DEC(y) } 


XSOTO = {GoTO Bi k€ {1,... n}}U 
{(GoTO lk,c=0):k € {l,...,n},c€ {x,y}}U 


{(GOTO Ig,c>0):k' € {1,...,n},c€ {x,y}} 
5 NOHALT = J INCDEC U 5 GOTO 


P= J NOĦALT j {HALT} 


When A and B read a word w € X+, they intuitively simulate a sequence of 
commands 7, that induces the command trace u = PREFyarr(w). If Tu fits the 
actual run of M, and this run 0-halts, then the minimal run of 6 on w has a 
value strictly larger than A(w). If, however, Tu does not fit the actual run of M, 
or it does fit the actual run but it does not 0-halt, then the violation is detected 
by B, which has a run on w with value strictly smaller than A(w). 

In the construction, we use the following partial discount-factor functions 
Pp: Pa: SNOHALT _, N and partial weight functions Vis Vd: XNOHALT Q. 


5 o =INC(2) 4 o =INC(a) 
4 o =DEC(z) 5 o =DEC(z) 
Pp(0)=47 o=INC(y) palo) =46 oo =INC(y) 
6 o =DEC(y) 7 0 =DEC(y) 
15 otherwise 15 otherwise 


Ya) = ee and yalo) = ploy We say that pp and y, are the primal 


discount-factor and weight functions, while pg and yq are the dual functions. 
Observe that for every c € {x,y} we have that 


Pp(INC(c)) = pa(DEC(c)) > Pp(DEC(c)) = pa(INC(c)) (1) 


Intuitively, we will use the primal functions for A’s discount factors and 
weights, and the dual functions for identifying violations. Notice that if changing 
the primal functions to the dual ones in more occurrences of INC(c) letters than 
of DEC(c) letters along some run, then by Lemma 1 the run will get a value lower 
than the original one. 

We continue with their formal definitions. A = (X, {q4, qh}, {aa}, 64, YA; PA) 
is an integral DMDA consisting of two states, as depicted in Fig. 3. Observe that 
the initial state q4 has self loops for every alphabet letter in SNOHALT with 
weights and discount factors according to the primal functions, and a transition 
(qa, HALT, q) with weight of H and a discount factor of 15. 

The integral NMDA B = (X, Qg, 1g, 68, YB, pg) is the union of the following 
eight gadgets (checkers), each responsible for checking a certain type of violation 
in the description of a 0-halting run of M. It also has the states Gfreeze; Ghalt E QB 
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nc(y), £,7 2,0, 2 


HALT, 44,15 


GOTO 14 
X īp 15 


Fig. 3. The DMDA A constructed for the proof of Lemma 2. 


such that for all ø € X, there are 0-weighted transitions (Gfreeze, 7; qfreeze) E OB 
and (qhalt,; 7; Ghat) € Ôg with an arbitrary discount factor. Observer that in all 
of B’s gadgets, the transition over the letter HALT to qnar has a weight higher 
than the weight of the corresponding transition in A, so that when no violation 
is detected, the value of 6 on a word is higher than the value of A on it. 


1. Halt Checker. This gadget, depicted in Fig. 4, checks for violations of non- 
halting runs. Observe that its initial state quc has self loops identical to those 
of A’s initial state, a transition to qhat Over HALT with a weight higher than the 
corresponding weight in A, and a transition to the state qast over every letter 
that is not HALT, “guessing” that the run ends without a HALT command. 


15 


17g) 16 
SNOHALT 9 9 5,0,2 


iz 5 15 freeze 
5,2,2 


Fig. 4. The Halt Checker in the NMDA B. 


HALT 


2. Negative-Counters Checker. The second gadget, depicted in Fig. 5, checks 
that the input prefix u has no more DEC(c) than INC(c) commands for each 
counter c € {x,y}. It is similar to A, however having self loops in its initial 
states that favor DEC(c) commands when compared to A. 


DEC(gx), 5,2 DEC(z), 3,4 
4 : 
INC(e), 79:10 ve INC(Y), qq, 14 
as 516 5 (a0 4 
DEC(y), 2,6 HALT, 75,16 HALT, 2, 16 
yGOTO 14 15 DEC(y), 5,3 GOTO 14 15 


Fig. 5. The negative-counters checker, on the left for x and on the right for y, in the 
NMDA B. 
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3. Positive-Counters Checker. The third gadget, depicted in Fig. 6, checks 
that for every c € {x,y}, the input prefix u has no more INC(c) than DEC(c) 
commands. It is similar to A, while having self loops in its initial state according 
to the dual functions rather than the primal ones. 


15 
> 16? 


HALT 16 


GOTO 14 
X s1819 


Fig. 6. The Positive-Counters Checker in the NMDA B. 


4. Command Checker. The next gadget checks for local violations of succes- 
sive commands. That is, it makes sure that the letter w; represents a command 
that can follow the command represented by wi—ı in M, ignoring the counter 
values. For example, if the command in location l2 is INC(x), then from state 
q2, which is associated with l2, we move with the letter INC(x) to q3, which is 
associated with l3. The test is local, as this gadget does not check for violations 
involving illegal jumps due to the values of the counters. An example of the 
command checker for the counter machine in Fig. 2 is given in Fig. 7. 


(Goto I3,x > 0), 4,15 


(GoTo l3, x = 0), 4,15 
GOTO l4 


z > 0, 43,15 DEC(z), 3, 


(GoTo le, x = 0), 


J Inc(a), 2,5 __ INC(a), 2,5 


25? 25? 


X \ {inc(x)}, 
0,2 


Fig. 7. The command checker that corresponds to the counter machine in Fig. 2. 


The command checker, which is a DMDA, consists of states q1,...,qn that 
correspond to the commands l1,...,ln, and the states qhat and freeze. For two 
locations j and k, there is a transition from qj to gz on the letter o iff lẹ can locally 
follow lj in a run of M that has ø in the corresponding location of the command 
trace. That is, either lj is a GOTO J, command (meaning l; = 9 = GOTO Ix), 
k is the next location after j and l; is an INC or a DEC command (meaning 
k = j+1 and lj = ø € YINCDEC) |, is an IF c=0 GOTO |, ELSE GOTO ly 
command with o = (GOTO Ix,c = 0), or l; is an IF c=0 GOTO ls ELSE GOTO lk 
command with ø = (GOTO Ix,c > 0). The weights and discount factors of the 
SNOHALT transitions mentioned above are according to the primal functions Yp 
and pp respectively. For every location j such that |; = HALT, there is a transition 
from q; to dha labeled by the letter HALT with a weight of iz and a discount 
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factor of 16. Every other transition that was not specified above leads to dfreeze 
with weight 0 and some discount factor. 


5,6. Zero-Jump Checkers. The next gadgets, depicted in Fig. 8, check for vi- 
olations in conditional jumps. In this case, we use a different checker instance for 
each counter c € {x,y}, ensuring that for every IF c=0 GOTO I, ELSE GOTO ly, 
command, if the jump GOTO lę is taken, then the value of c is indeed 0. 


yyGOTO i, 15 7 iz 
INCDEC HALT, 7g, 16 
x \ {1Nc(c), DEC(c) } , Yo(7), pp(0) (dic) > (ina) 


{iNc(c), DEC(c) } , ya(7); palo) 


(GOTO Ik,c = 0),4, 15 


HALT, 72,16 


5 GOTO 14 15 


215? 


Paes Y(T), Pp(c) 


Fig. 8. The Zero-Jump Checker (for a counter c € {x,y }) in the NMDA B. 


Intuitively, q$¢ profits from words that have more INC(c) than DEC(c) letters, 

while qe continues like A. If the move to qe occurred after a balanced number 
of INC(c) and DEC(c), as it should be in a real command trace, neither the 
prefix word before the move to qe, nor the suffix word after it result in a profit. 
Otherwise, provided that the counter is 0 at the end of the run (as guaranteed 
by the negative- and positive-counters checkers), both prefix and suffix words 
get profits, resulting in a smaller value for the run. 
7,8. Positive-Jump Checkers. These gadgets, depicted in Fig. 9, are dual to 
the zero-jump checkers, checking for the dual violations in conditional jumps. 
Similarly to the zero-jump checkers, we have a different instance for each counter 
c € {x,y}, ensuring that for every IF c=0 GOTO I, ELSE GOTO lą command, if 
the jump GOTO lx is taken, then the value of c is indeed greater than 0. 

Intuitively, if the counter is 0 on a (GOTO ly:,c > 0) command when there 
was no INC(c) command yet, the gadget benefits by moving from qpco tO freeze: 
If there was an INC(c) command, it benefits by having the dual functions on the 
move from gfcg tO dpc, Over INC(c) and the primal functions on one additional 
self loop of gBcy over DEC(c). 


Lemma 2. Given a two-counter machine M, we can compute an integral DUDA 
A and an integral NMDA B on finite words, such that M 0-halts iff there exists 
a word w € X+ such that B(w) > A(w) iff there exists a word w € X+ such that 
B(w) > A(w). 


The proof uses the construction presented above, and can be found in [7]. 


3.2 Undecidability of Comparison 


For finite words, the undecidability result directly follows from Lemma 2 and 
the undecidability of the 0-halting problem of counter machines [31]. 
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7 


GOTO 14 
a +7p 15 


ygINCDEC \ {1nc(c) } ,Yp(), Pp(o) 


(GoTo lw,c > 0), 0,2 


GOTO 14 
y eis 


HALT, 72, 16 


INC(c), 


ya(INC(c)), 
HALT, 1,2 | pa(INc(c)) 


INCDEC 
x , 


Ypo), ppo) 


14 
> 15°? 


(GOTO ly,c > 0) 15 HALT, 22,16 


216? 
{ INc(c), DEC(c) } , Jalo), pa(o) 
GOTO 14 15 


215? 


SINCDEC \ £ iNo(c), DEC(c) } , ypo), pp(c) 


Fig. 9. The Positive-Jump Checker (for a counter c) in the NMDA B. 


Theorem 1. Strict and non-strict containment of (integral) NMDAs on finite 
words are undecidable. More precisely, the problems of deciding for given integral 
NMDA N and integral DMDA D whether N(w) < D(w) for all finite words w 
and whether N(w) < D(w) for all finite words w. 


For infinite words, undecidability of non-strict containment also follows from 
the reduction given in Section 3.1, as the reduction considers prefixes of the 
word until the first HALT command. We leave open the question of whether strict 
containment is also undecidable for infinite words. The problem with the latter is 
that a HALT command might never appear in an infinite word w that incorrectly 
describes a halting run of the two-counter machine, in which case both automata 
A and B of the reduction will have the same value on w. On words w that have 
a HALT command but do not correctly describe a halting run of the two-counter 
machine we have B(w) < A(w), and on a word w that does correctly describe a 
halting run we have B(w) > A(w). Hence, the reduction only relates to whether 
B(w) < A(w) for all words w, but not to whether B(w) < A(w) for all words w. 


Theorem 2. Non-strict containment of (integral) NMDAs on infinite words is 
undecidable. More precisely, the problem of deciding for given integral NUDA N 
and integral DMDA D whether N(w) < D(w) for all infinite words w. 


Proof. The automata A and 6 in the reduction given in Section 3.1 can operate 
as is on infinite words, ignoring the Halt-Checker gadget of 6 which is only 
relevant to finite words. 

Since the values of both A and 6 on an input word w only relate to the 
prefix u = PREFHALT(w) Of w until the first HALT command, we still have that 
B(w) > A(w) if u correctly describes a halting run of the two-counter machine 
M and that B(w) < A(w) if u is finite and does not correctly describe a halting 
run of M. 
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Yet, for infinite words there is also the possibility that the word w does not 
contain the HALT command. In this case, the value of both A and the command 
checker of B will converge to 1, getting A(w) = B(w). 

Hence, if M 0-halts, there is a word w, such that B(w) > A(w) and otherwise, 
for all words w, we have B(w) < A(w). 


Observe that for NMDAs, equivalence and non-strict containment are in- 
terreducible. 


Theorem 3. Equivalence of (integral) NMDAs on finite as well as infinite words 
is undecidable. That is, the problem of deciding for given integral NUDAs A and 
B on finite or infinite words whether A(w) = B(w) for all words w. 


Proof. Assume toward contradiction the existence of a procedure for equivalence 
check of A and B. We can use the nondeterminism to obtain an automaton 
C = AUB, having C(w) < A(w) for all words w. We can then check whether C is 
equivalent to A, which holds if and only if A(w) < B(w) for all words w. Indeed, 
if A(w) < B(w) then A(w) < min(A(w), B(w)) = C(w), while if there exists a 
word w, such that B(w) < A(w), we have C(w) = min(A(w), B(w)) < A(w), 
implying that C and A are not equivalent. Thus, such a procedure contradicts 
the undecidability of non-strict containment, shown in Theorems 1 and 2. 


4 Comparison of NDAs with Different Discount Factors 


We present below our algorithm for the comparison of NDAs with different 
discount factors. We start with automata on infinite words, and then show how 
to solve the case of finite words by reduction to the case of infinite words. 

The algorithm is based on our main observation that, due to the difference 
between the discount factors, we only need to consider the combination of the 
automata computation trees up to some level k, after which we can consider first 
the best/worst continuation of the automaton with the smaller discount factor, 
and on top of it the worst /best continuation of the second automaton. 

For an NDA A, we define its lowest (resp. highest) infinite run value by 
LOWRUN(A) (resp. HIGHRUN(A)) = min (resp. max) {A(r) |r is an infinite run 
of A (on some word w € &”)}. 

Observe that we can use min and max (rather than inf and sup) since the in- 
fimum and supremum values are indeed attainable by specific infinite runs of the 
NDA (cf. [10, Proof of Theorem 9]). Notice that LOwRUN(A) and HIGHRUN(A) 
can be calculated in PTIME by a simple reduction to one-player discounted- 
payoff games [4]. 

Considering word values, we also refer to the lowest (resp. highest) word 
value of A, defined by LowworD(A) (resp. HIGHWORD(A))= min (resp. max) 
{ A(w) |w € E* }. Observe that LOwwoRD(A) = LOWRUN(A), HIGHWORD(A) < 
HIGHRUN(A), and for deterministic automaton, HIGHWORD(A) = HIGHRUN(A). 

For an NMDA A with states Q, we define the maximal difference between suf- 
fiz runs of A as MAXDIFF(A) = max { HIGHRUN(A‘) — LOWRUN (A1) | qe Q}. 
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Notice that MAXDIFF(A) > 0 and that A1(w) is bounded as follows. 
LOWRUN(A1) < A%(w) < LOWRUN(A‘) + MAXDIFF(A) (2) 


Lemma 3. There is an algorithm that computes for every input discount factors 
AAs àp E QN (1,00), Aa-NDA A and Ap-DDA D on infinite words the value of 
min{A(w) — D(w) | w € X°}. 


Proof. Consider an alphabet X, discount factors A4, àp E€ QN (1,00), a Aa- 
NDA A = (1),Q4,t4,04,YA) and a Ap-DDA D = (X, Qp, tp, ôn, yp). When 
Aa = àp, we can generate a \4-NDA C = A—D over the product of A and D 
and compute LOWWORD(C). 

When 4 Æ Ap, we consider first the case that \4 < Ap. 

Our algorithm unfolds the computation trees of A and D, up to a level in 
which only the minimal-valued suffix words of A remain relevant — Due to the 
massive difference between the accumulated discount factor in A compared to 
the one in D, any “penalty” of not continuing with a minimal-valued suffix word 
in A, defined below as m4, cannot be compensated even by the maximal-valued 
word of D, which “profit” is at most as high as MAXDIFF(D). Hence, at that 
level, it is enough to look among the minimal-valued suffixes of A for the one 
that implies the highest value in D. 

For every transition t = (q,0,q') E€ A, let MINVAL(q,0,q') = ya(q,0,q') + 
xy - LOWWORD(A® ) be the best (minimal) value that A? can get by taking t as 
the first transition. We say that t is preferred if it starts a minimal-valued infinite 
run of A1, namely dp, = {t = (q,0,q') € 64 | MINVAL(t) = LOWWORD( A1) } is 
the set of preferred transitions of A. Observe that an infinite run of A? that 
takes only transitions from 6,,, has a value equal to LOWRUN(A?) (cf. [10, Proof 
of Theorem 9]). 

If all the transitions of A are preferred, A has the same value on all words, and 
then min{A(w) —D(w) |w € X” } = LowRuN(A) — HIGHWORD(D). (Recall that 
since D is deterministic, we can easily compute HIGHWORD(D).) Otherwise, let 
ma be the minimal penalty for not taking a preferred transition in A, meaning 
ma = min {minvar (t) — MINVAL(t”) We Mayo 3) C84) wek, Observe that 

es = (q, a”, q") € Oe 
ma > 0. 

Considering the connection between m4 and MAXDIFF(D), notice first that 
if MAXDIFF(D) = 0, D has the same value on all words, and then we have 
min{A(w) —D(w) |w € 3”} = LOWRUN(A) —LowrRuN(D). Otherwise, meaning 
MAXDIFF(D) > 0, we unfold the computation trees of A and D for the first 
k levels, until the maximal difference between suffix runs in D, divided by the 
accumulated discount factor of D, is smaller than the minimal penalty for not 
taking a preferred transition in A, divided by the accumulated discount factor 
of A. Meaning, k is the minimal integer such that 


MAXDIFF(D) ma 
Ap” kar 


(3) 
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Starting at level k, the penalty gained by taking a non-preferred transition of A 
cannot be compensated by a higher-valued word of D. 

At level k, we consider separately every run Y% of A on some prefix word u. 
We should look for a suffix word w, that minimizes 


Sp AMO (u) = Dl) — Ag DPM (w) (4) 


A(uw) — D(uw) = Ath) + rE Xo 


A central point of the algorithm is that every word that minimizes A — D 
must take only preferred transitions of A starting at level k (full proof in [7]). 
As all possible remaining continuations after level k yield the same value in A, 
we can choose among them the continuation that yields the highest value in D. 

Let B be the partial automaton with the states of A, but only its preferred 
transitions 6,,. (We ignore words on which B has no runs.) We shall use the 
automata product B°4™) x D®>(™) to force suffix words that only take preferred 
transitions of A, while calculating among them the highest value in D. 

Let CAY) ênu) = (X, Qax Qn, { (54(v), 6v(u)) } , Spr X OD, Yc) be the par- 
tial Ap-NDA that is generated by the product of B°4“) and D®?™), while only 
considering the weights (and discount factor) of D, meaning ye ((q, p), o, (q, p’)) = 
YD (P, 9; p'). 

A word w has a run in A®°4() that uses only preferred transitions iff w has a 
run in CO4().5>(™4)) Also, observe that the nondeterminism in C is only related 
to the nondeterminism in A, and the weight function of C only depends on the 
weights of D, hence all the runs of C4():2(“) on the same word result in the 
same value, which is the value of that word in D. Combining both observations, 
we get that a word w has a run in A°4() that uses only preferred transitions iff 
w has a run r in C4(4),9>(“)) such that C4(4)50(“))(~) = Dê) (w). Hence, 
after taking the k-sized run w of A, and under the notations defined in Eq. (4), 
a suffix word w that can take only preferred transitions of A, and maximizes 
DP“) (w), has a value of D°?() (w) = HIGHRUN(CO4(4)50(™)), This leads to 


min { A(v) — D(v) | vE” }= 


l Ada) (w) DPM (w)) ue St, we SY, 
min { AW) dak z Ap” q) is a run of A on il ~ 
Sa (Y) (Ba) ðnlu))) WED", 
hae faw | ee ) D(u) HIGHRUN(C à dy iced 
Y ÀA AD of Aon u 


and it is only left to calculate this value for every k-sized run of A, meaning for 
every leaf in the computation tree of A. 
The case of \4 > Xp is analogous, with the following changes: 


— For every transition of D, we compute MAXVAL(p, o, p’) = yp (p, a, p') + 5 . 
HIGHWORD(D? ), instead of MINVAL(q, ø, q’). 

— The preferred transitions of D are the ones that start a maximal-valued in- 
finite run, that is 6), = {t = (p, o’, p') € p | MAXVAL(t) = HIGHRUN(D?) }, 
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and the minimal penalty mp is 
Y= (p, o", p") E€ TA 
t = (p,o',p') € dp \ A 
— k should be the minimal integer such that — <J 
— We define 6 to be the restriction of D to its “preferred transitions, and 
Cal) Snl) as a partial \4-NDA on the product of A®4™) and B®?) while 
considering the weights of A. We then calculate LowRUN(CO4(Y)9D(™4))) for 


every k-sized run of A, wv, and conclude that min{ A—D} is equal to 


A LOWRUN (CA) 9D (4) HIGHRUN (D5 (u 
miny { A(w) + CPTO Dhu) TOES 


Observe that in this case, it might not hold that all runs of C@4()°2(™)) on 
the same word have the same value, but such property is not required, since 
we look for the minimal run value (which is the minimal word value). 


mp = min {maxvar(t") — MAXVAL(t’) 


Notice that the algorithm of Lemma 3 does not work if switching the direction 
of containment, namely if considering a deterministic A and a nondeterministic 
D. The determinism of D is required for finding the maximal value of a valid 
word in BA) x D&P™)_ If D is not deterministic, the maximal-valued run of 
Ba) x DP) on some word w equals the value of some run of D on w, but 
not necessarily the value of D on w. We also need D to be deterministic for 
computing HIGHWORD(D?) in the case that A4 > Ap. 

Moving to automata on finite words, we reduce the problem to the corre- 
sponding problem handled in Lemma 3, by adding to the alphabet a new letter 
that represents the end of the word, and making some required adjustments. 


Lemma 4. There is an algorithm that computes for every input discount factors 
AAs àp E QNA (1,00), Aa-NDA A and \p-DDA D on finite words the value of 
inf { A(u) — D(u) |u € Xt}, and determines if there exists a finite word u for 
which A(u) — D(u) equals that value. 


Proof. Without loss of generality, we assume that initial states of automata have 
no incoming transitions. (Every automaton can be changed in linear time to an 
equivalent automaton with this property.) 

We convert, as described below, an NDA M on finite words to an NDA 
N on infinite words, such that N intuitively simulates the finite runs of M. 
For an alphabet X, a discount factor A € QN (1,20), and a A-NDA (DDA) 
N = (X, Qw, tN, ÔN, YN) on finite words, we define the \-NDA (DDA) Ñ = 
(E Ow Uta tow, Ox, Yy) On infinite words. The new alphabet v= Du{r} 
contains a new letter 7 X that indicates the end of a finite word. The new 
state q- has 0-valued self loops on every letter in the alphabet, and there are 0- 
valued transitions from every non-initial state to q7 on the new letter r. Formally, 
Oxy = dy U { (q7, 0, q7 [oE X) } U {(4,7,q7 lqe Qn \ww) }; and 
= y(t) te on 

~ 10 otherwise 
Observe that for every state q E€ Qw, the following hold. 


Yar (t 
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1. For every finite run ry of NY, there is an infinite run r ‘xr of N 7, such that 
N4(rx-) = N4(ry), and rg takes some 7 transitions. (rg can start as ry 
and then continue with only 7 transitions.) 

2. For every infinite run ry, of N‘ that has a 7 transition, there is a finite run 
ry of N4, such that N4(r 7) =N4(ry). (ry can be the longest prefix of rx, 
up to the first 7 transition). 

3. For every infinite run ry of N4 that has no 7 transition, there is a series of 
finite runs of M4, such that the values of the runs in M4 converge to W4(r vas 
(For example, the series of all prefixes of rọ). 


Hence, for every q € Qu we have inf {N4(r) | r is a run of N7} = LOWRUN(N%) 
and sup {N4(r) |r is a run of N47} = HIGHRUN(N“%). (For a non-initial state q, 
we also consider the “run” of M4 on the empty word, and define its value to 
be 0.) Notice that the infimum (supremum) run value of M4 is attained by an 
actual run of M4 iff there is an infinite run of N4 that gets this value and takes 
a T transition. 

For every state q E€ Qy, we can determine, as follows, whether LOWRUN(N a) 
is attained by an infinite run taking a 7 transition. We calculate LOWRUN( N4) 
for all states, and then start a process that iteratively marks the states of N , such 
that at the end, q E€ Qy is marked iff LOWRUN(N%) can be achieved by a run 
with a 7 transition. We start with q, as the only marked state. In each iteration 
we further mark every state q from which there exists a preferred transition 
t = (q,0,q') E 6p, to some marked state q’. The process terminates when an 
iteration has no new states to mark. Analogously, we can determine whether 
HIGHRUN(W%) is attained by a run that goes to qr. 

Consider discount factors A4, Ap E€ QN (1,00), a A4-NDA A and a \p-DDA 
D on finite words. When 4 = Ap, similarly to Lemma 3, the algorithm finds 
the infimum value of C = A—D using C, and determines if an actual finite word 
attains this value using the process described above. 

Otherwise, the algorithm converts A and D to A and D, and proceeds as 
in Lemma 3 over A and D. According to the above observations, we have 
that inf { A(u) — D(u) |ue St} = min{A(w) — D(w) |w € X°}, and that 
inf { A(u) — D(u) } is attainable iff min{ A(w)—D(w)} is attainable by some word 
that has a 7 transition. Hence, whenever computing LOWRUN or HIGHRUN, we 
also perform the process described above, to determine whether this value is at- 
tainable by a run that has a 7 transition. We determine that inf { A(u) — D(u) } 
is attainable iff exists a leaf of the computation tree that leads to it, for which 
the relevant values LOWRUN and HIGHRUN are attainable. 


Complexity analysis We show below that the algorithm of Lemmas 3 and 4 
only needs a polynomial space, with respect to the size of the input automata, 
implying a PSPACE algorithm for the corresponding decision problems. We 
define the size of an NDA N, denoted by ||, as the maximum between the 
number of its transitions, the maximal binary representation of any weight in it, 
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and the maximal unary representation of the discount factor. (Binary represen- 
tation of the discount factors might cause our algorithm to use an exponential 
space, in case that the two factors are very close to each other.) The input NDAs 
may have rational weights, yet it will be more convenient to consider equivalent 
NDAs with integral weights that are obtained by multiplying all the weights by 
their common denominator [6]. (Observe that it causes the values of all words 
to be multiplied by this same ratio, and it keeps the same input size, up to a 
polynomial change.) 

Before proceeding to the complexity analysis, we provide an auxiliary lemma 
(proof appears in [7]). 


Lemma 5. For every integers p > q E€ N\{0}, a _ NDA A with integral weights, 


and a lasso run r = to,ti,...,ta—1, (ta, te41,---,te+y-1)” of A, there exists an 
integer b, such that A(r) = apa: 


Proceeding to the complexity analysis, let the input size be S = |A| + |D], 
the reduced forms of A4 and Àp be A and A respectively, the number of states 
in A be n, and the maximal difference between transition weights in D be M. 

s Aà 
Observe that n < S,p < S,M < 2-2°, Ra < TET < pp < S, and for 
1 


Ap > Aa > 1, we also have 2 = IPn BI g 

Observe that A has a best infinite run (and D has a worst infinite run), 
in a lasso form as in Lemma 5, with x,y € [1..n]. Indeed, following preferred 
transitions, a run must complete a lasso, and then may forever repeat its choices 
of preferred transitions. Hence, m4, being the difference between two lasso runs, 
is in the form of 

by bz b3 b3 
mA = = > 
Pi =q) pape =q) pp = eg) pape 
1 1 fors>1 1 1 
= pe = gas > sys ~ 3a 


for some 21, %2, Y1, Y2 <n and some integers bı, b2, b3. (Similarly, we can show 
that mp > =42.) We have MAXDIFF(D) < M - xP a hence 


9382 
J. AD 1+5 : 3S 
MAXDIFF(D M = 2 . S (for S>1) 2 2 
( ) < Ap—1 < < < 935438 
MA MA MA MA 


Recall that we unfold the computation tree until level k, which is the min- 


imal integer such that (52 jS AOE) Observe that for S > 1 we have 


2 2 
ae > (1+ i)” > 2, hence for k’ = S? - (35 +357), we have 


ea =i 2a od > 935435? MAXDIFF(D) 
AA ÀA MA 


meaning that k is polynomial in S. Similar analysis shows that k is polynomial 
in S also for Ap < Ay. 
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Considering decision problems that use our algorithm, due to the equivalence 
of NPSPACE and PSPACE, the algorithm can nondeterministically guess an 
optimal prefix word u of size k, letter by letter, as well as a run w of A on u, 


LOWRUN(AOA()) 
AAF 


transition by transition, and then compute the value of A(w)4 


HIGHRUN(C@ A) 8D ())) 
D(u) xP ; 
Observe that along the run of the algorithm, we need to save the following 


information, which can be done in polynomial space: 


— The automaton C = B x D (or A x B), which requires polynomial space. 
— Aa” (for A(w)) and \p* (for D(u)). Since we save them in binary represen- 
tation, we have log,(\*) < klog,(S), requiring polynomial space. 


We thus get the following complexity result. 


Theorem 4. For input discount factors AA, Ap E€ QNA (1,00), A4-NDA A and 
Ap-DDA D on finite or infinite words, it is decidable in PSPACE whether 
A(w) > D(w) and whether A(w) > D(w) for all words w. 


Proof. We use Lemma 3 in the case of infinite words and Lemma 4 in the 
case of finite words, checking whether min { A(w) — D(w) } < 0 and whether 
min { A(w) — D(w) } < 0. In the case of finite words, we also use the informa- 
tion of whether there is an actual word that gets the desired value. 


Since integral NDAs can always be determinized [8], we get as a corollary that 
there is an algorithm to decide equivalence and strict and non-strict containment 
of integral NDAs with different (or the same) discount factors. Note, however, 
that it might not be in PSPACE, since determinization exponentially increases 
the number of states, resulting in k that is exponential in S, and storing in 
binary representation values in the order of A” might require exponential space. 


Corollary 1. There are algorithms to decide for input integral discount factors 
àa, Ap E N, A4-NDA A and Xp-NDA B on finite or infinite words whether or 
not A(w) > B(w), A(w) > B(w), or A(w) = B(w) for all words w. 


5 Conclusions 


The new decidability result, providing an algorithm for comparing discounted- 
sum automata with different integral discount factors, may allow to extend the 
usage of discounted-sum automata in formal verification, while the undecidabil- 
ity result strengthen the justification of restricting discounted-sum automata 
with multiple integral discount factors to tidy NMDAs. The new algorithm also 
extends the possible, more limited, usage of discounted-sum automata with ra- 
tional discount factors, while further research should be put into this direction. 


Acknowledgements We thank Guillermo A. Perez for stimulating discussions 
on the comparison of integral NDAs with different discount factors. 
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Abstract. Fast matching of regular expressions with bounded repetition, aka 
counting, such as (ab) {50,100}, i.e., matching linear in the length of the text 
and independent of the repetition bounds, has been an open problem for at least 
two decades. We show that, for a wide class of regular expressions with counting, 
which we call synchronizing, fast matching is possible. We empirically show that 
the class covers nearly all counting used in usual applications of regex match- 
ing. This complexity result is based on an improvement and analysis of a recent 
matching algorithm that compiles regexes to deterministic counting-set automata 
(automata with registers that hold sets of numbers). 


1 Introduction 


Fast matching of regular expressions with bounded repetition, aka counting, has been 
an open problem for at least two decades (cf., e.g., [33]). The time complexity of the 
standard matching algorithms run on a regex such as .*a.{100} is, at best, dominated 
by the length of the text multiplied by the repetition bounds. This makes matching prone 
to unacceptable slowdowns since the length of the text as well as the repetition bounds 
are often large. In this paper, we provide a theoretical basis for matching of bounded 
repetition with a much more reliable performance. We show that a large and practical 
class of regexes with counting theoretically allows fast matching—in time indepen- 
dent of the counter bounds and linear in the length of the text. 

The problem also has a strong practical motivation. Regex matching is used for 
searching, data validation, detection of information leakage, parsing, replacing, data 
scraping, syntax highlighting, etc. It is natively supported in most programming lan- 
guages [6], and ubiquitous (used in 30-40 % of Java, JavaScript, and Python software 
[7,39,8,5]). Efficiency and predictability of regex matching is important. An extreme 
run-time of matching can have serious consequences, such as a failed input validation 
against injection attacks [41] and events like the outage of Cloudflare services [18]. 
Regexes vulnerabilities are also a doorway for the ReDoS (regular expression denial of 
service) attack, in which the attacker crafts a text to overwhelm a matcher (as, e.g., in the 
case of the outage of StackOverflow [13] or the websites exposed due to their use of the 
popular Express.js framework [3]). ReDoS has been widely recognized as a common 
and serious threat [7,9,11], with counting in regexes begin especially dangerous [37]. 
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Matching algorithms and complexity. The potential instability of the pattern matchers 
is in line with the worst-case complexity of the matching algorithms. The most widely 
used approach to matching is backtracking (used, e.g., in standard matchers of .NET, 
Python, Perl, PHP, Java, JavaScript, Ruby) for its simplicity and ease of implementation 
of advanced features such as back-references or look-arounds. It is, however, at worst 
exponential to the length of the matched text and prone to ReDoS. Even though this 
can be improved, for instance by memoization [11], the fastest matchers used in perfor- 
mance critical applications all use automata-based algorithms instead of backtracking. 
The basis of these approaches is Thompson’s algorithm [35] (also referred to as online 
NFA-simulation). Together with many optimizations, it is implemented in Intel’s Hyper- 
scan [40]. When combined with caching, it becomes the on-the-fly subset construction 
of a DFA, also called online DFA-simulation (implemented in RE2 from Google, GNU 
grep, SRM, or the standard matcher of Rust [17,19,30,12]). Without counting, the major 
factor in the worst-case complexity is O(nm”), with n being the length of the text and 
m the size of the number of character occurrences in the regex (m is smaller than size 
of the regex, the length of string defining it). We say that the character cost, i.e., the 
cost of extending the text with one character, is m°. This is the cost of iterating through 
transitions of an NFA with O(m) states and O(m?) transitions compiled from the regex 
by some classical construction [2,16,24]. 


Extending the syntax of regexes with bounded quantifiers (or counters), such as 
(ab) {50,100}, increases the character complexity dramatically. Given k counters with 
the maximum bound f, the number of NFA states rises to O(m@*), the number of tran- 
sitions as well as the character cost to O((mé*)*). For instance, the minimal DFA for 
.*a.{k} (i.e., a appears k characters from the end) has more than 2* states. Moreover, 
note that, since k is written as a decadic numeral, its value is exponential in the size 
of the regex. This makes matching with already moderately high k prone to significant 
slowdowns and ReDoS vulnerabilities with virtually every mainstream matcher (see 
[36,37]). At the same time, repetition bounds easily reach thousands, in extreme tens 
of millions (in real-life XML [4]). Writing a dangerous counting expression is easy and 
it is hard to identify. Security-critical solutions may be vulnerable to counting-related 
ReDoS [37] despite an extra effort spent in regex design and testing, hence developers 
sometimes avoid counting, use workarounds and restrict functionality. 


The problem of matching with bounded repetition has been addressed from 
the theoretical as well as from the practical perspective by a number of authors 
[15,4,22,26,31,20,25,36]. From these, the recent work [36] is the only one offering fast 
matching for a practically significant class of regexes. The algorithm of [36] compiles 
a regex with counting to a non-deterministic counting automaton (CA), an automaton 
with counters that can be incremented, reset, and compared with a constant. The crux of 
the problem is then to convert the CA to a succinct deterministic machine that could be 
simulated fast in matching. The work [36] achieves this by determinizing the CA into a 
counting-set automaton (CSA), an automaton with registers that hold sets of numbers. 
Its size is independent of the counter bounds and it updates the sets by a handful of 
operations that are all constant time, regardless the size of the sets. However, regexes 
outside the supported class do appear, the class has no syntactic characterization, and 
it is hard to recognize (as demonstrated also by an incorrect proposal of a syntactic 
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class in [36] itself). For instance, .*a{5} or (ab) {5} are handled, but .* (aa) {5} or 
.* (ab) {5} are not (the requirement is technical, see Section 4). 


Our contribution. In this paper, we 


1. generalize the algorithm of [36] to extend the class of handled regexes and 
2. derive a useful syntactic characterization of the extended class. 


The derived class is characterized by flat counting (counting operators are not nested) 
where repetitions of each counted expression R are synchronizing (a word from R” can- 
not have a prefix from R”*!), It is the first clearly delimited practical class of regexes 
with counting that allows fast matching. It includes the easily recognizable and frequent 
case where every word in R has exactly one occurrence of a marker, a letter or a word 
from a finite set of markers that unambiguously identifies each occurrence of R (note 
that even this simple class was not handled by any previous fast algorithms, including 
[36]). In a our experiment with a large set of regexes from various sources, 99.6 % of 
non-trivial flat counting was synchronizing and 99.2 % was letter-marked. 

To obtain the results (1) and (2) above, we first modify the determinization of [36] 
to include the entire class of regexes with flat counting. In a nutshell, this is achieved 
by two changes: (i) We allow copying and uniting of sets stored in registers, and (ii) in 
the determinization, we index counters of the CA by its states to handle CA in which 
nondeterministic runs that reach different states reach different counter values. 

These modifications come with the main technical challenge that we solve in this 
paper: copying and uniting sets is not constant-time but linear to the size of the sets. 
This would make the character cost linear in the counter bound £ again. To remove the 
dependency on the counter bounds, we augment the determinization by optimizations 
that avoid the copying and uniting. First, to alleviate the cost of uniting, we store inter- 
sections of sets stored in registers in new shared registers, so that the intersection does 
not contribute to the cost of uniting the registers. Then, to increase the impact of in- 
tersection sharing, we synchronize register updates in order to make their intersections 
larger. We then show that if the CSA does not replicate registers, i.e, each register can in 
a transition appear on the right-hand side of only one register assignment, then it never 
copies registers and the cost of unions can be amortised. Finally, we define the class of 
regexes with synchronizing counting for which the optimized CsA do not replicate 
counters so their simulation in matching is fast. 


Related work. In the context of regex matching, counting automata were used in several 
forms under several names (e.g. [20,36,4,15,31,32,33,14,23]). Besides [36] discussed 
above, other solutions to matching of counting regexes [15,4,22,26,31,20,25] handle 
small classes of regexes or do not allow matching linear in the text size and indepen- 
dent of counter bounds. The work [20] proposes a CA-to-CA determinization producing 
smaller automata than the explicit CA determinization for the limited class of monadic 
regexes, covered by letter-marked counting, and the size of their deterministic automata 
is still dependent on the counter bounds. The work [4] uses a notion of automata with 
counters of [15]. It focuses mostly on deterministic regexes, a class much smaller than 
regexes with synchronizing counting, and proposes a matching algorithm still depen- 
dent on the counter bounds. The paper [25] proposes an algorithm that takes time at 


Fast Matching of Regular Patterns with Synchronizing Counting 395 


worst quadratic to the length of the text. Extended FA (XFA) of [31,32] augment NFA 
with a scratch memory of bits that can represent counters, and their determinization 
is exponential in counter bounds already for regexes such as .*a.{k}. The counter-1- 
unambiguous regexes of [22,23] can be directly compiled into deterministic automata 
called FACs, similar to our CA, independent of counter bounds, but the class is limited, 
excluding e.g., .*a. {k}. 


2 Preliminaries 


We use N to denote the natural numbers including 0. For a set S, P(S) denotes its 
powerset and Pân(S) is the set of all finite subsets of S. 

A first order language (f.o.l.) T = (F,P) consists of a set of function symbols F 
and a set of predicate symbols P. An interpretation I of T with a domain Dy assigns 
a function f! : Di > Dy to each n-ary f € F and a function pi: Dī — {0,1} to each 
n-ary p € P. An assignment of a set of variables X in I is a total function v : X > Dy. 
The set of terms Termsr x and the set QFFr x of quantifier free formulae (boolean 
combinations of atomic formulae) over I’ and X, as well as the interpretation of a term, 
t'(v), and a formula, 9'(v), are defined as usual. We denote by v r @ that the formula 
Ọ is satisfied (interpreted as true) by the assignment v. It is then satisfiable. We drop 
the sub/superscript I when it is clear from the context. We write ọ|x] and ¢[x] to denote 
a unary formula @ or term f, respectively, with the free variable x, and we may also 
abuse this notation to denote the term/formula with its only free variable replaced by 
x. We write t'(k) and @!(k) to denote the values t!({x + k}) and o!({x +> k}). For a 
set of formulae ¥ = {y),...,W,}, the set Minterms(Y) consists of all minterms of ¥, 
satisfiable conjunctions @; A++- A Ọn where for each i: 1 < i <n, Q; is Wj or 7YWj. 

We fix a finite alphabet X of symbols/etters for the rest of the paper. Words are se- 
quences of letters, with the empty word €. The concatenation of words u and v is denoted 
u-v, uv for short. A set of words over È is a language, the concatenation of languages 
is L-L’ = {u-v |u E€ LAv E L'}, LU’ for short. Bounded iteration xt, i € N, of a word or 
a language x is defined by x° = e for a word, x? = {e} for a language, and x'+! 
Then x* = Ujenx!. We consider a usual basic syntax of regular expressions (regexes), 
generated by the grammar R ::= £ | a | (R) | RR | RIR | R* | R{m,n} where m € N, 
nE€NUœ%,0<m,0<n,m <n, and a € ÈX. We use R{m} for R{m,m}. Regexes con- 
taining a sub-expression with the counter R{m,n} or R{m} are called counting regexes 
and m,n are counter bounds. We denote by maxr the maximum integer occurring in 
the counter bounds of regex R and we denote the number of counters by cntr. A regex 
with flat counting does not have nested counting, that is, in a sub-regex S{m,n}, S 
cannot contain counting. The language of a regex R is constructed inductively to the 
structure: L(e) = {e}, L(a) = {a} for a € £, L(RR’) = L(R) - L(R'), L(R*) = L(R)*, 
L(R|R’) = L(R) UL(R’), and L(R{m,n}) = meicn L(R)!. We understand |R| simply as 
the length of the defining string, e.g. | (ab) {10} |= 8. We define {R as the number of 
character occurrences in R, formally, ta = 1 for a € X, te = 0, #(R) = tR{m,n} = fR, 
and #R- S = #R| S = §R + g5. 

A (nondeterministic) automaton (NA) is a tuple A = (Q,A,/,F) where Q is a set of 
states, A is a set of transitions of the form gar with q,r E€ Q anda € È, I C Q is the 


=y. 
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set of initial states, and F C Q is the set of final states. A run of A over a word w = 
a] .. -an from state po to pn, n > O is a sequence of transitions potubp1, pitehpo, 
<- Pn-1 {an} Pn from A. The empty sequence is a run with po = pn over £. The run is 
accepting if po € I and pn € F, and the language L(A) of A is the set of all words for 
which A has an accepting run. A state q is reachable if there is a run from / to it. The size 
of the NA, |A], is defined as the number of its states plus the number of its transitions. 
The automaton is deterministic (DA) iff |I| = 1 and for every state q and symbol a, A has 
at most one transition g4{a}r. The subset construction transforms the NA to the DA with 
the same language DA(A) = (Q',A’,I° ,F") where Q’ C P(Q) and A’ are the smallest 
sets of states and transitions satisfying Z” = {I}, A’ has for each a € © and each S € Q’ 
the transition S{a}+{s’ | s € SA stays’ € A}, and F' = {S € Q' | SOF £0}. When the 
set of states Q is finite, we talk about (deterministic) finite state automata (NFA, DFA).! 
This paper is concerned with the problem of fast pattern matching, basically a mem- 
bership test: given a regex R and a text w, decide whether w € L(R). While w may be 
very long, R is normally small, hence the dependence on |w| is the major factor in 
the complexity. The offline DFA simulation takes time linear in |w]. It (1) compiles 
R into an NFA NFA(R) (2) determinizes it, and (3) follows the DFA run over w (aka 
simulates the DFA on w), all in time and space @(2!*F4(8)l + |w|). The cost of deter- 
minization, exponential in |NFA(R)|, is however too impractical. Modern matchers such 
as Grep or RE2 [19,17] therefore use the techniques of online DFA simulation, where 
only the part of the DFA used for processing w is constructed. It reduces the complexity 
to O(min(2!"F4(9)| + |w], |w] - |NFA(R)|)) (the first operand of min is the explicit deter- 
minization in case the entire DFA is constructed, plus the cost of DFA-simulation; the 
second operand is the cost of the online-DFA simulation, coming from that every step 
may incur construction of a new DFA state and transition in time O(|NFA(R)|)). For 
counting regexes, the factor |NFA(R)| depends linearly (or more if counting is nested) 
on max, and thus exponentially on |R|. This makes counting very problematic in prac- 
tice [36,37,33]. We will present a matching algorithm which is fast for a specific class 
of regexes, meaning that its run-time is still linear in |w| but is independent of maxg. 


3 Counting Automata 


We use a rephrased definition of counting automata and counting-set automata of [36]. 
We will present them as a special case of a generic notion of automata with registers. 


Definition 1 (Automata with registers). An automaton with registers (RA) operated 
through an f.o.l. T under an interpretation I is a tuple A = (X,Q,A,I,F) where X is a 
set of variables called registers; Q is a finite set of states; A is a finite set of transitions 
of the form q4a,9.u}+ p where p,q E€ Q, a E€ È, u : X — Termsr x is an update, and Ọ € 
QFFr x is a guard; I is a set of initial configurations, where a configuration is a pair of 
the form (q,m) where q € Q and m: X > D; is a register assignment called a memory; 
and F : Q — QFFr x is a final condition assignment. 


' We do not require finiteness in the basic definition in order to avoid artificial restrictions of the 
notions of automata with registers/counters/counting sets defined later. 
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The language of A, L(A), is defined as the language of its configuration automaton 
Conf (A). States of Conf (A) are configurations of A that are reachable. I is the set of 
initial states of Conf (A). It has a transition (q,m) 4a} (q',m’) iff (g,m) is reachable and 
A has a transition § = q4a.9uj+q' € A such that (q',m’) is the image of (q,m) under 6, 
denoted (q',m') = 6(q,m), meaning that (1) 5 is enabled in (g,m), m — @, and (2) 
w =u(m), ie. m(x) =u(x)!(m) for each x € X. We let 5(C) = {8(c) | c € C} for a set 
of configurations C. A configuration (q,m) is a final if m = F (q). By runs of A we mean 
runs of Conf (A). The RA A is deterministic if Conf (A) is deterministic. The size of the 
RA is |A| = |Q| + sea [ò| where |8| is the sum of the sizes of the update and the guard. 


Definition 2 (Counting automata). A counting automaton (CA) is an automaton with 
registers, called counters, operated through the counting language Tent that contains 
the unary increment function, denoted x +1, constants 0 and 1, and predicates x > k and 
x< k, k EN, with the standard interpretation over natural numbers, that we denote lent. 


Regexes with counting may be 
translated to CA by several meth- 
ods ((36,33,14,23]). We use a slightly 
adapted version of [14]—an extension of 
Glushkov’s algorithm [16] to counting. 
For a regex R, it produces a CA CA(R) = 
(X,Q,A,{o},F). Figure 1 shows an Fig. 1: CA(R) for R = ((alb)b) {3, 8}. The 
example of such CA. The construction accepting condition of all states is | except 


is discussed in detail in [21], here we for b whose accepting condition is written 
only overview the important properties in the square brackets. 


needed in Sections 4-6: 


1. Every occurrence S of a counted sub-expression T{ ming, maxs } of R corresponds 
to a unique counter xs and a substructure As of CA(R). Outside As, xs is inactive (a 
dead variable) and its value is 0, it is assigned 1 on entering As, and every iteration 
through As increments the value of xs while reading a word from L(T). Our minor 
modification of [14] is related to the fact that the original assigns | to inactive 
counters while we need 0. 

2. CA(R) has at most HR + 1 states, cntr.{R? transitions, cntr counters. It has at most 
ËR? transitions if R is flat. 

3. CA(R) has a single initial configuration Qo = (qo, 50) s.t. 59(xs) = 0 for each xs € X. 

4. Guards and final conditions are conjunctions consisting of at most one conjunct 
of the form ming < xs or maxs > xs per counter xs € X. A transition update may 
assign to xs € X only one of the terms 0, 1, xs, and xs + 1. It has no guard on xs if it 
is assigned xz, i.e. kept unchanged, it has the guard xs > ming iff xs is reset to 0 or 
1 (a counter cannot be reset before reaching its lower bound), and it has the guard 
xs < maxs iff xs is assigned xs + 1 (counter can never exceed its maximum value 
maxs). Hence, a counter can never exceed maxr. 

5. Flatness of R translates to the fact that configurations of CA(R) assign a non-zero 
value to at most one counter. This implies that Conf(CA(R)) has at most |Q|.maxr 
states and also that CA(R) is Cartesian, a property that will be defined in Section 4 
and is crucial for correctness of our CA determinization (Theorem 3 in Section 6.) 
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A DFA can be obtained by the subset construction in the form DA(Conf(CA(R))), called 
explicit determinization. Due to the factor max, in the size of Conf (CA(R)), the explicit 
determinization is exponential to max, even if R is flat, meaning doubly exponential to 
|R| (R has maxr written as a decadic numeral). If R is not flat, then the factor maxr is 
replaced by (maxg)™®. 


4 Counter-subset Construction 


In this section, we formulate a modified version of determinization of CA from [36] 
that constructs a machine of a size independent of maxg. Our version handles the entire 
class of Cartesian CA (defined below) and in turn also all regexes with flat counting. 

The main idea of the determinization remains the same as in [36]. The standard sub- 
set construction is augmented with registers, we call them counting sets, that can store 
sets of counter values that would be generated by non-deterministic runs of the CA. 
The automata with counting-sets as registers are called counting-set automata. Our first 
modification of [36] is indexing of counters by states. In intuitively, this allows to han- 
dle cases such as a* (ba |ab) {5}, where, after reading the first ab, the counter is either 
incremented or not (b is the first letter of the counted sub-expression or not). This would 
violate the uniformity property of CA necessary in [36]—the set of values generated by 
the non-deterministic CA runs must be the same for every CA state. In our modified ver- 
sion, values at distinct states are stored separately in registers indexed by those states 
and may differ. Then, in order to handle the indexed counters, we have to introduce a 
general assignment of counters, allowing to assign the union of other counters.” Intu- 
itively, when a run non-deterministically branches into several states, each branch needs 
to continue with its own copy of the set, stored in a counter indexed by the state. The 
union of sets is used when the branches join again. This brings a technical challenge 
that we solve in this work: how to simulate the counting-set automata fast when the set 
union and copy are used? The solution is presented in Sections 5 and 6. 


Definition 3 (Counting-set automata). A counting-set automaton (CSA) is an au- 
tomaton with registers operated through the counting-set language Ise under the num- 
ber-set interpretation I! where the language T ser extends the counting language Vent 
with the constant 0, binary union U, and set-filter functions V, where p is a predicate 
symbol of Vent. For simplicity, we restrict terms assigned to counters by transition up- 
dates to the form t = ti U --- Ut, where each t; is either (a) a term of Vent or 0, (b) of 
the form V pw where t' is a term of T ox. Each t; is called an r-term of t. 

The domain of Ises is sets of natural numbers, P(N). The interpretation of the 
predicates and functions of Fen under Ises is derived from the base number inter- 
pretation of the same predicates and functions: A function returns the image of the 
set in the argument under the base semantics, f's* (S) = { f'=*(n) | n € S}. A set sat- 
isfies a predicate if some of its elements satisfy the base semantics of that predicate, 
p'set(S) <= Je €S: pi% (e). Filters then filter out values that do not satisfy the base 
semantics of their predicate, V} (S) = {e € S | p'**(e)}. Finally, 0 is interpreted as 


2 [36] could assign to a counter x only a constant or function of the current value of x. 
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the empty set and U as the union of sets. We denote memories of the CSA by s to distin- 
guish them from memories of CA. We write DCSA to abbreviate deterministic CSA. 


Less formally, registers of CSA hold sets of numbers and are manipulated by the 
increment x + 1 of all values, assignment of constant sets {0}, {1}, and 0, denoted by 
0, 1, and 0, filtering out values smaller or larger than a constant, denoted V,<,(x) and 
Vx<x(x), and testing on a presence of a value x satisfying x < k or x < k, k € N. 

We will present an algorithm that determinizes a CA A = (X,Q,A,1,F), fixed for 
the rest of the section, into a DCSA DCSA(A) = (X',Q',A’,/',F"). We assume that 
guards of transitions in A and final conditions are of the form Aey px|x],¥ C X, ie. 
conjunctions with a at most a single atomic predicate per counter. This is satisfied by 
all CA(R), for any regex R (see the list of properties of CA(R) in Section 3). 

Runs of DCSA(A) will encode runs of DA(Conf(A)) obtained from the explicit deter- 
minization of A. Recall that the states DA(Conf(A)) are sets of configurations of A, pairs 
(q,m) of a state and a counter assignment. DCSA(A) will represent the sets of counter 
values within a DA state as run-time values of its registers. 

Particularly, for every state q and a counter x of the CA, DCSA(A) has a register x, in 
which it remembers, after reading a word w, the set of all values that x reaches in runs 
of the base CA on w ending in q. Hence, we have X’ = {x, |x € X \q E Q} 


Definition 4 (Encoding of sets of CA configurations). A state S = {(gi,m,)}7_, of 
DA(Conf(A)) is encoded as the DCSA(A) configuration enc(S) = ({qi}#_,,8) where 


8(%q) = {mi(x) | qi = a)r 


Since a set of assignments appearing with the state q is broken down to sets of values 
of the individual counters, it disregards relations between values of different counters. 
For instance, in the DA state Sı = { (q, {x 0,y > 0}), (q, {x> 1,y => 1})}, the values 
of x and y are either both 0 or both 1, but enc(S1) = (q, {x4 > {0,1},yq — {0,1}}) 
does not retain this information. It is identical to the encoding of another DA state 
So = {(¢, {x 1,y => 0}), (q, {x 4 0,y > 1})}. This is the same loss of information as 
in the so-called Cartesian abstraction. The encoding is hence precise and unambiguous 
only when we assume that inside the states of DA(A), the relations between counters are 
always unrestricted—there is no information to be lost. We then call the CA Cartesian, 
as defined below. The encoding function is then unambiguous, and we call the inverse 
function decoding, denoted dec. 


Definition 5 (Cartesian CA). Assuming the set of counters of A is X = {xj}, then 
a set C of configurations of A is Cartesian iff, for every state q of A, there exist sets 
Ni,.--;Nm C N such that (q, {xi ni Y1) € C iff (m, ...,nm) E€ Ni X +++ X Nm. The CA 
A is Cartesian iff all states of DA(Conf(A)) are Cartesian. 


For instance, the DA states S; and S2 above are not Cartesian, while S; U S$? is. 
Similarly as the regex to CA construction of [36], our regex to CA construction 
discussed in Section 3 returns a Cartesian CA when called on a flat regex. 


3 Every CA can be transformed to this form by transforming the formulae to DNF and creating 
clones of transitions/states for individual clauses. 
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Subset construction for Cartesian CA. The algorithm below is a generalization of the 
subset construction. Let us denote by index,(t) the term that arises from t by replacing 
every variable x € X by xq, analogously index,(@) for formulas. We have Q' C P(Q), 
the initial configuration 7" = {enc(J)}, and the final conditions assign to R € Q’ the 
disjunction of the final conditions of its elements, F’ (R) = Vgcrindex,(F (q)). 

We will construct DCSA(A) which is deterministic and its runs encode the runs of 
DA DA(Conf(A)). Conf(DCSA(A)) will be isomorphic to DA(Conf(A)). For that, we 
need for each transition 6 of DA(Conf(A)) one unique transition of DCSA(A) over the 
same letter enabled in the encoding of the source of 5 and generating the encoding of 
the target of 5. In other words, we need for each transition dec(R, 5) {a}>dec(R’,s’) of 
DA(Conf(A)) one unique transition © = R{a,9,u}R’ € A’ with (R’,s') = 8/(R, 5). That 
transition 8’ will be built by summarizing the effect of all base CA a-transitions enabled 
in the CA configurations of dec(R,s). 

To construct the transition 6’, we first translate each base transition 6 = g{a,95,ushr € 
A into its set-version 5', supposed to transform an encoding of a (Cartesian) set C of 
configurations, enc(C), into the encoding of the set of their images under 6, enc(6(C)), 
and enabled if 5 is enabled for at least one configuration in C. To that end, assum- 
ing Ọ5 = Axcx Px|x], we (1) construct the update uX from uş by substituting in every 
uş(x),x E€ X variables y € X by their filtered versions V,,(y), (2) add indices to reg- 
isters that mark the current state, resulting in the transition 5! = giao; .uy}r where 
Q} = index,(@g) and uj assigns to every x,,x € X the term index, (u¥ (x). 

The states Q” and the transitions A’ are then constructed as the smallest sets satisfy- 
ing that enc(I) € Q’ and every R € Q” has for every a € È the outgoing transitions con- 
structed as follows. Let {g;{a,9;,u;}7r;} je, for some index set J be the set of constituent 
a-transitions for R, all a-transitions 6' where 6 € A originates in R. To achieve deter- 
minism, A’ has the transition Ra,y.u}R’ for every minterm y € Minterms({@ ;} jez). 
The update u and target R’ are constructed from the set {qj{a.9j.ujhrj}jex, K C J, of 
constituent transitions with guards @; compatible with the minterm y, i.e., with satis- 
fiable YA @;. R’ is the set of their target states, R’ = {r;}jex, and u(x) unites all their 
update terms u;(x), i.e. u(x) =Ujexu;(x), for each x € X’. 


Example 1. When showing examples of transition updates, we write x:=t to denote 
that u(x) = t and we omit the assignments x:= 0 in CSA. 

Let R = {p,q} and let the a-transitions originating at R be q4a,T x:=x}s, 
Ptax<nx=xt+lpr, and p4ax>mx:=1}s. They induce three constituent transitions for 
R and a, q4a,T xs:=xqhs, ptaxp<n.xr:=Vecn(xp)+ pr, and paxp>m.xs:=lps. A transition 
R-+a,w.u'}+R’ is constructed for each of the following minterms Y: x,)<nAXxp>m, =Xp <n ^ 
Xp2M, Xp <n A ~Xp>M, Xp <n N =x >m. For the first one, all three constituent transi- 
tions are compatible and so the update u’ is x, := Vr<n (xp) + l; xs:=x4 U 1 (update of x, 
is taken from the first constituent transitions leading to r, update of xs is the union of the 
updates of the second two transitions leading to s) and the target state is R’ = {r,s}. 


DCSA(A) is deterministic since it has a single initial configuration and the guards of 
transitions originating in the same state are minterms. The size of DCSA(A) obviously 
depends only on the size of A and not on the interpretation of the language. Especially, 
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when A is CA(R) for some regex R, the size does not depend on maxr. The theorem 
below is proved in fal 


Theorem 1. DCSA(A) is deterministic, |DCSA(A)| € O(2'4!), and if A is Cartesian, then 


L(A) = L(DCSA(A)). 


Since for regexes with flat counting, our regex to CA algorithm always returns a 
Cartesian CA, we can transform them into DCSA. 


5 Fast Simulation of Counting-set Automata 


In this section, we discuss how a run of a DCSA on a given word can be simulated 
efficiently to achieve fast matching. Let us fix a word w = a,---d, together with the 
DCSA A = (X,Q,A, {00}, F). We wish to construct the run of the DCSA on w and test 
whether the reached configuration is accepting. We aim at a running time linear to |w| 
and independent of the sizes of the sets stored in A’s registers at run-time. 

We will assume that the initial configuration Op of A assigns to every register a 
singleton or the empty set. The assumption is satisfied by CSA constructed from CA(R), 
R being any regex, by the algorithms of Section 4 and also Section 6.° 

Technically, the simulation maintains a configuration & = (q,5), initialized with 
Qo, and for every i from 1 to n, it constructs the transition a{a;}+a’ of Conf (A) and 
replaces a by the successor configuration a = (q',s’). We use the key ingredient of 
fast simulation from [36], the offset-list data structure for sets of numbers with constant 
time addition of 0/1, comparison of the maximum to a constant, reset, and increment of 
all values. The problem is that the newly added union and copy of sets are still linear 
to the size of the sets, and hence linear to the maximum counter bounds. We show how, 
under a condition introduced below, set copy can be avoided entirely and the cost of 
union can be amortized by the cost of incrementing the sets. This will again allow a 
CSA-simulation in time independent of max, and falling into O(|A|- |w]). 

First, we define a property of CSA sufficient for fast simulation—that the updates 
on its transitions do not replicate counters. 


Definition 6 (Counter replication). We say that a CSA replicates counters if for some 
transition q{4,9,uWr, some counter appears in the image of u twice, that is, it appears 
in two r-terms of some u(x) or it appears in u(x) as well as in u(y) for x # y. A non- 
replicating CSA does not replicate counters. 


For instance, {x > x;y œ> x+ 1} and {x xUx + 1,y > y} are updates where x is 
replicated, {x > x+ 1,y +> y} is not a replicating update. 


4 It may be interesting to note that, as follows from our formulation of the determinization, the 
construction is independent of the particular f.o.l. used to manipulate registers and of its inter- 
pretation. The determinization could be applied to any kind of automata that fits the definition 
of automata with registers. The numbers could be manipulated by other functions and tests, 
natural numbers could be replaced by reals etc. The counting-set automata are themselves an 
instance of automata with registers. One could also think about push-down automata or, with 
small modifications, variants of data-word automata with registers. 

5 This is a technical assumption important in order for unions of the initial sets not to influence 
the overall complexity of the simulation. 
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Offset-list data structure. The offset-list data structure of [36] allows constant time 
implementation of the set operations of increment of all elements, reset to O or {0} or 
{1}, addition of 0 or 1, and comparison of the maximum with a constant. 

It assigns to every counter x € X a pointer ol(x) to an offset-list pair (o,,l,) with the 
offset ox € N and a sorted list ly =,...,m, of integers. The data structure implement- 
ing the list needs constant access to the first and the last element, forward and backward 
iteration of a pointer, and insertion/deletion at/before a pointer to an element. This is 
satisfied for instance by a doubly-linked list that maintains pointers to the first and the 
last element. The offset-list pair represents the set s(x) = {m1 +0,,...,mx +0}. Union 
of two such sets is still linear in their size, but we will show that if the CSA does not 
replicate counters, the cost of set unions can be amortized by the cost of increments. 


Finding the CSA transition and evaluating the update. The first step of computing a’ 
from © is finding the transition g{a;.9.u}+q' € A, the only qj;-transition from q that is 
enabled, i.e. where s = @. The simplest algorithm iterates through the transitions of 
A and, for each of them, tests whether s satisfies its guard. The cost of evaluating an 
atomic counter predicate p, i.e., deciding whether s |= p, is constant: since the lists ly 
are sorted, we only need to access the first or the last element and the offset to decide 
x <norx > n, respectively. With that, the cost of evaluating @ is linear to the size of 
@. The cost of the iteration through the transitions of A is then linear in the sum of their 
sizes, which is within O(|A|). 

Having found q-{a;.9.u}+q', we evaluate its update to compute s’ and compute œ’ as 
(q',s’). We will explain the algorithm and argue that the amortized cost of computing s’ 
is in O(|X|). The update is evaluated by, for each x € X, evaluating all r-terms in u(x), 
uniting the results, and assigning the union to ol(x). 

First, we argue that evaluating an r-term f of u(x), i.e. computing t(s), is amortized 
constant time. Since the counters are non-replicating, we can compute the value of each 
r-term fy] in situ. That is, we modify the offset-list pair (0),/,) and return the pointer 
ol(y). The original value of y can be discarded after evaluating t[y] since y does not 
appear in any other r-term. There are 5 cases: (1) If f is 0 or 1, then we return a pointer 
to a fresh offset-list pair with the offset 0 and the list containing only 0 or 1, respectively. 
This is done in constant time. 

(2) If t is y € Y, then we return ol(y). 

(3) If t is y+ 1, then oy is incremented by one. This constant time implementation 
of the increment is the reason for pairing the lists with the offsets. 

(4) If t is V,[y], then J, is filtered by the atomic predicate p. Filtering with the 
predicate x > n uses the invariant of sortedness of /,. It is done by iterating the following 
steps: i) test whether the list head is smaller than n — oy and ii) if yes, remove the head, 
if not, terminate the iteration. Every iteration is constant time: The cost of the iterations 
which remove an element is amortized by the cost of additions of the element to the list. 
What remains is only the constant cost of the last iteration which detects an element 
greater or equal to n — oy, or that the list is empty. Filtering with x < n is analogous (the 
iterations test and remove the last element instead of the head). 

(5) Ift is V,(y) + 1, then the construction for the constant increment is applied after 
the constant filter discussed above. 
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Next, we argue that computing the union of values of the r-terms in u(x) may be 
amortized by the cost of evaluating the increment terms. Let /),...,/, be the offset-list 
representations of the values of the terms in u(x) computed by the algorithm above. 
The offset-list representation of their union is computed by a sequence of merging, 
as merge(l,,merge(I2,...merge(In—1,/n)...)). Particularly, given two pointers to offset- 
lists 1,1’, merge(1,l') implements their union: it chooses the offset-list that represents a 
set with the larger maximum, assume that it is /, and inserts the elements represented by 
the other list, 7’, to it. We say that I’ is merged into I. This is done by the standard sorted- 
list merging in time O((/'|) where |7| is the length of l’. Since 7’ is without duplicities 
and with minimum 0, O(|/’|) C O(max(/’)) where max(/’) is the maximal element. 

The O(max(/')) cost is amortized by the cost of evaluating increments. The offset- 
list pair at l’ has seen at least max(/’) — 1 increments since the only elements inserted 
into it are 0, 1, or, during merge, elements from other sets smaller than max(// ). These 
increments of /' are the budget used to pay for the mergeing of l into l. After the 
merge, the offset-list pair of I’ is discarded (as the CSA is non-replicating, it is no longer 
needed) hence the budget is used only once. Last, the assignment of the union to c is 
done by a constant time assignment of a pointer to the offset-list returned by the merge. 


Overall complexity of the simulation. Let us define the cost cost(x) of manipulations 
with the counter x € X during one step of the simulation as the sum of the costs of: 
(1) evaluating all r-terms containing c, (2) merging their offset-list into other ones, (3) 
creating offset-lists for terms 0 or | in u(x) and merging them into other offset-lists, (4) 
the assignment of the result of u(x) to x. The cost of processing a single letter a; is then 
the sum Èe cost(x) and |w] -È xey cost(x) is the cost of the entire simulation. Since the 
CSA is non-replicating and evaluating a single r-term is amortized constant time, the 
cost of (1) is in amortized constant time. The cost of (2) is amortized by increments from 
step (1). The creation and insertion of singletons in (3), at most two in u(x), is constant 
time. The pointer assignment in (4) is constant time. The cost(x) is therefore amortized 
constant time, the amortized time of evaluating the update u is in O(|X |), and the cost of 
the updates through the simulation is in O(|X|-|w]). The cost of choosing the transitions, 
by evaluating their guards, is in O(|A| - |w|) by the above analysis. Analogously, the cost 
of testing the accepting condition at the reached configuration is in O(|A]). 


Theorem 2. [fA is non-replicating, then its simulation on w takes O(|A|-|w|) time. 


6 Augmented Determinization 


In this section, we augment the subset construction from Section 4 with optimiza- 
tions that prevent counter replication and hence extend the class of regexes that can 
be matched fast by simulation of the CSA. It optimizations are tailored to CA with the 
special properties of CA(R), for a regex R, listed in Section 3. 


Intuition for the optimizations. The emergence of counter replication and means of 
its elimination in the augmented construction, by techniques of counter sharing and 
increment postponing, are illustrated on simplified fragments of CA in Figure 2. 
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a) a oo exi=1 os ax 


b) wsx 
D "OP Oes © 
a bixt=x O MTA a;x:=x+1 =x+1 = Ss b;x:=x+ 1 


Fig. 2: Sub-structures of CA that are sources of counter replication. 


In a), DCSA(CA(R)) has transitions {q} 4axr:=x4+1xs:=x4+1h {r, s Ab xq: =xr xs {q}. 
The first transition replicates the entire content of the x,, the second one unites the 
two sets. Both transitions are expensive. The can be optimized by detecting that the 
values of x; and x, are the same, being generated by syntactically identical updates, 
and storing the values in a shared counter Xis r}. This would result in transitions 
{q} Haxps =x tlh {5,t} Abau =s) {q}, with the replication and union eliminated. 

Figure b) then illustrates why a counter xp, P C Q, represents the set of 
values shared between the original counters xp, p € P. That is, xp does not 
always hold the entire sets stored in the counters x,,p € P. If their val- 
ues are not the same, it stores only their intersection. The value of each 
Xp is then partitioned among several shared counters xs with p € S. In b), 
DCSA(CA(R)) has transitions q-4axq:=xqxr:=1} {q,r} Aa xq =xqUxr+ Lar=1Ux+ 1p {q,r}, 
replicating the counter x,. Counter sharing would then generate transitions 
giar =x y= IP {G7} Aare =i} =a =) + {g,r} with counters x44}, 
X{r} for the subsets exclusive to xg and x,, respectively, and x; ,; for the intersection. 

Last, in c), we illustrate the technique of increment postponing. DCSA(CA(R)) would 
have transitions {gq} a,%:=x9+1.1s:=xqh { 5, t} 4b.xq:=2rUsst+ 1 {q}. Since the increments 
on the two branches happen in different moments, the values of x, and x; differ until 
the last increment of x, synchronizes them. We avoid replication by storing the non- 
incremented value, obtained from xg, in a counter shared by x, and xs and remembering 
that an increment of x, has been postponed. This is marked with + in the name of 
the shared counter x;,+ 51. When the values of x, and xs synchronize (the increment 
is applied to x, too), the postponed increment is evaluated and the +-mark is removed. 
We would create transitions {q }4axg+ 9 :=«({s,t} Abox =x +> {q}. If, before the 
synchronization, the value of the marked counter is either tested or incremented for the 
second time, we declare an irresolvable replication and abort the entire construction 
(we allow postponing of only one increment). To prevent this situation from arising 
needlessly, we let states remember the counters that must have the empty value and we 
ignore these counters. 


Augmented Determinization Algorithm. The augmented determinization produces from 
CA(R) = (X,0,A, {00}, F) the CSA DCSA*(CA(R)) = (X?, O?,A*, {ag}, F°). Its coun- 
ters in X* are of the form xs where x € X and S C Q* and Q* = QU {q* | q € Q}. The 
guiding principle of the algorithm is that an assignment s* of X* represents an assign- 
ment s of the counters in X' of DCSA(CA(R)), namely, for each x4 € X", 


$(%q) = emcee s*(xs)U S {n+1 |n € s°(xs)}. (1) 


We will use some simplifying notation. As discussed in Section 3, by the construc- 
tion of CA(R), the increment of c and the guard x < max, always appear on its transitions 
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together, without any other guard on x. Hence, in DCSA(CA(R)), all terms with an incre- 
ment or filtering are of the form V.<max, (xgo) +1. We will denote them by the shorthand 
Xq © 1 (we are using q° to denote an element from the set Q*, either q or q*, for q € Q). 

The states of DCSA*(CA(R)) will additionally be distinguished according to which 
of the counters of X* are active, i.e., could have a non-empty value. Counters always 
valued by @ can be ignored, which simplifies transitions and decreases the chance of 
an irresolvable counter replication. The states of DCSA?(CA(R)) are thus of the form 
(R,Act) where R C Q and Act C X? is a set of active counters. 

The initial configuration is a} = (({q0}, {X{qo} |x € X}), 55) where sô assigns {0} 
to every X¢q)},x E X and 0 to every other counter in X*. The final condition assignment 
F*((R,Act)) is, for each (R,Act) € Q*, constructed from F'(R) by replacing every 
predicate p|x4] by the disjunction p[x,|4 = V xsedcr,ges Plies] that encodes p[x,] using 
the counters of Act in the sense of (1). 

The transitions in A* are constructed from transitions in A’. For source state (R,Act) € 
Q®*, an original transition R-{a,9,u}sR’ € A’, and set of active counters Act C X@, A® has 
the transition (R, Act) {a,9*.u*}+(R’, Act’), constructed as follows: 

The guard @* is made from @ by replacing every predicate p[x,] by the equivalent 
version with shared counters p[x|*“ (as when constructing F® above). 

The update uè is constructed in three steps. First, the update u®" is made from u by 
expressing the r-terms of u using the shared counters X*. Each t[x,] is replaced by 


p= eb | xs EAct,q ES}U{tixs]&1 |xs € Act,q* € 5} ) l 


Notice that all postponed increments are evaluated in u®™, transformed to normal incre- 
ments. If u®" has an r-termt@1© 1, i.e., a double increment, then the whole construction 
aborts and declares an irresolvable counter replication. We allow postponing only one 
increment.° Otherwise, we proceed to resolve counter replication. First, we make sure 
that every counter appears in the image of the update only in one kind of r-term. We 
collect the set Conflict of all r-terms xs ® 1 of u®" with conflicting increments, i.e. such 
that also xs is an r-term of u™. In update u+, conflicting increments are postponed. For 
xE X, q €Q, and u™(x,) = UT, 


u` (x4) = LJ(T \ Conflict) and u'(xọ) = U {xs |xs®1 € TN Conflict}. 


The final update u* then resolves counter replication, by grouping r-terms replicated 
in u* under a common I-value (we call z an /-value of r-terms of u*(z)). For an r-term 
t of u*, let lval(t) be the set of its l-values. Note that 1val(r) is always of the form 
{xq }xes for some fixed x € X (see property 4 of CA(R) in Section 3). We let Act’ be 
the set of counters xs with lval(t) = {xg° }xes for some r-term of u+. For all xs € X°, if 
xs ¢ Act’ then u?(xs) = 0 else 


u° (xs) = Uir | t is an r-term of u` and 1val(t) = {xq }qres } - 


6 Also transition guards and final conditions of DCSA®(CA(R)) must not contain the +-mark 
since evaluating them regardless the postponed increments would return incorrect results. 
However, declaring counter replication on seeing a double increment here covers these cases 
due to the structural properties of CA(R). 
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Example 2. Let us have R4a,ọ,u}>R' € A’ created in Example 1 with R = {p,q}, R' = 
{7,5}, Q =Xp<nAxp>m, and u = {xr :=Xp G1, xXs:=xXq U 1}. Let Act = {Xip q} X{pgh} }- 
Then u®* = {xp := Xip} © 1UXtp 9} O1,%s = X{p qt} D 1U Xip q} U 1}. Note that the 
Xq in u(xs) becomes X{p,q'} ® 1, corresponding to the right part of the definition of t° 
(the postponed increment x,: is evaluated in w*"). Note that the r-term X{pq} ® 1 is in 
Conflict as x{ p,q} is an r-term of u®™ too. Therefore it is postponed in u”, i.e. u®"(x,) = 
Xip} DLU- becomes u* (x,+) = X4p 9}. We get ut = {Xp =X fp gi} D 1, Xs = Xip gi} © 
1Ux{p g U1, x = x1 nahh Finally, u° groups r-terms replicated in u* under a common 
l-value: u* = {X45} :=Xp.gt} B 1x15} = 1,x15,-+} -=X{p,q} }- The next active counters 
are Act’ = {Xfr,5} X{s}sX{s°}}- Note that, for x,, g+}, the postponed increment at p* was 
synchronized on this transition, while the conflict at x{p 4} was solved by postponing 
increment and marking r with +. 


The algorithm either returns the CSA DCSA*(CA(A)), or detects an irresolvable 
counter replication, in which case DCSA?(CA(A)) does not exist.’ Let m = HR and re- 
call that n denotes the length of the matched text, |w|. Since CA(R) has at most m states 
and m? transitions, a basic analysis of the algorithm’s data structures reveals that the 
resulting CSA has at most 22” states, each with at most Qn outgoing transitions, each 
transition of the size in O(m2”). Because DCSA*(CA(A)) encodes DCSA(CA(A)), it has 
the same language, and it also inherits its determinism. Since it does not replicate coun- 
ters, it can be simulated in pattern matching fast, in time linear to the text and indepen- 
dent of the counter bounds. The following theorem is proved in [21]. 


Theorem 3. For R with flat counting, if DCSA*(CA(R)) exists, then it does not replicate 
counters, its size is in O(2?"m), L(CA(R)) = L(DCSA2(CA(R))), and it can be simulated 
on a word w of the length n in time O(27"mn). 


Matching can be done in time of constructing the CSA plus its simulation, which 
in the sum is indeed fast, not dependent on k and linear in n. It can also be noted that 
the m in the exponents above is not the size of the entire regex, but only the size of the 
counted sub-regexes. 


7 Regexes with Synchronizing Counting 


Finally, in this section we define the class of regexes with synchronizing counting, 
which precisely captures when the CSA created by our construction in Section 6 does 
not replicate counters and hence allow fast matching (in the sense of Theorem 3). 


Definition 7 (Regexes with synchronizing counting). A regex has synchronizing count- 
ing iff it has no sub-expression S{n, m} where for some k € N, a word from L(S)* has a 
prefix from L(S)**!. 


For instance, (ac*) {1, 4} (ab|ba) {3,5} (a (ab) *) {2,8} is a regex with synchro- 
nizing counting as each word from L(ac*)* must contain the symbol a exactly k times, 


7 Aborting the construction here simplifies the description, but it would also be possible to con- 
tinue the construction and return a DCSA that does not guarantee fast simulation. 
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words from L(ab | ba)“ must have exactly 2k symbols, and words from L(a (ab) x)k can 
be uniquely split at the first a in the a(ab) *. In comparison, (a|aa) {2,5} does not 
have synchronizing counting as a -a-a is a prefix of aa-aa. 

Intuitively, there is no pair of paths through CA(S{m,n}) starting at the same state, 
over the same word, ending in the same state, where the number of increments differs 
by two. In such case, DCSA*(CA(S{m,n})) would have to delay two increments, which 
our construction does not allow. The theorem below is proved in [21]. 


Theorem 4. Given a regex R with flat counting, the algorithm of Section 6 returns 
DCSA?(CA(R)) ifand only if R has synchronizing counting. 


Corollary 1. Regexes with flat synchronizing counting have a fast matching algorithm. 


Proof. From Theorems 3 and 4. 


Counting with Markers. Even though designing and recognizing synchronizing count- 
ing is usually intuitive, it may also be tricky. For instance, (\\\\d+\\\\.) {3}, from the 
database of real-world regexes we use in our experiment, has synchronizing counting, 
while ICE_Dims.{92}((_?(X|\d+)){13}) does not.’ A vast majority of real-world 
regexes we examined fortunately belong to very easily recognizable subclasses of syn- 
chronizing counting. The most wide-spread and easy to recognize are regexes with 
letter-marked counting, where every sub-expression S{m, n} has a set of marker letters 
such that every word from L(S) has exactly one occurrence of a marker letter. ° 

Marker letters may be generalized to marker words, though, markers that can arise 
by concatenation of several words from L(S) cannot be used. The condition that has to 
be satisfied is that any word from L(s)*, k € N, has exactly k non-overlapping occur- 
rences of marker words as infixes. Another sufficient property of S is that it has words 
of a uniform length. The idea of markers may be generalized further until the point 
when the set of marker words is specified by general regexes, when we get precisely 
the synchronizing counting. The regexes with letter-marked counting are easily human 
as well as machine recognizable (see a simple O(|R|*)-time algorithm in [21]). 


8 Practical Considerations 


Although the main point of this work is the theoretical feasibility of fast matching with 
synchronizing counting, we will also argue that the results are of practical relevance. 
To this end, we show experimentally that synchronizing counting and marked counting 
cover a majority of practical regexes. We also give arguments that matching with the 
CSA constructed in Section 6 can be done efficiently. 


8 An automated way of identifying synchronizing counting would be running the CSA-to-DCSA 
determinization from Section 6, but this is exponential to |R]. 

°’ That letter-marked counting is a strict superset of the class that is in [36] conjectured as handled 
by the algorithm of [36]. The conjecture of [36] is also not correct, as shown in [21]. 
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8.1 Occurrence of Synchronizing Counting in Practice 


To substantiate the practical relevance of synchronizing counting regexes, we examined 
a large sample of practical regexes using a simple checker of letter-marked counting. 
The benchmark consists of over 540 000 regexes collected from (1) a large scale anal- 
ysis of software projects [10]; (2) regexes used by network intrusion detection systems 
Snort [27], Bro [29], Sagan [34], and the academic papers [42,38]; (4) the RegExLib 
database of regexes [28]. 

From the regexes that we could parse!?, 31975 contained counting. We selected 
those with flat counting and with the sum of upper bounds of counters larger than 20 (as 
was done in [36] to filter out counting with small bounds that can be handled through 
counter unfolding and traditional methods)!'!. This left us with 5751 regexes. From 
these, only 46 regexes (0.8 %) have counting that is not letter-marked. Furthermore, we 
manually checked these regexes and we identified that 22 of them have synchronizing 
counting. We have therefore found only 24 regexes with non-synchronizing counting, 
i.e., 0.4 % of the examined set of regexes with flat counting. 

The 24 non-synchronizing regexes are listed in [21]. Some of them may clearly be 
rewritten with synchronizing counting, such as (.+) {25}(.*), which can be rewrit- 
ten as .{25,}(.*). We speculate that some of them might in fact represent a mis- 
take, such as (.*) {1,32000}{bc] where the counter matches the empty word, or 
(\n\s+) (criterion .*\n) (\s.+) {1,99} where the \s.+ might have been intended 
as \s\S+ (\s are white spaces, \S are all the other characters). Synchronizing count- 
ing seems to capture the intuition with which counting is often written, hence reporting 
non-synchronizing counting might help identifying bugs. 

By the same methodology and from a nearly identical benchmark, [36] arrived to a 
sample of 5 000 regexes with flat counting with the sum of bounds larger than 20. The 
algorithm of [36] did not cover 571 regexes from the 5 000, which is 11 % of the exam- 
ined set of regexes with flat counting (in contrast to the 0.4% with non-synchronizing 
counting and the 0.8% with counting that is not letter-marked, measured on a slightly 
larger set of regexes). The two sets of regexes with flat counting, the 5751 of ours and 
the 5 000 of [36], are not perfectly identical, however. Differences are to a small degree 
caused by differences in the base database ([36] uses about 18 more regexes that are 
proprietary and excludes 26 regexes with counter bounds larger than 1 000), and to a 
larger degree by small differences in the parsers. 


8.2 Practical Efficiency of Matching with Synchronizing Counting 


The size and the worst-case time of simulation of DCSA*(CA(R)) are still exponential to 
the number of states of CA(R) (namely, O(2?"m) and O(27”mn) where m = {R equals 
the number of states of CA(R), cf. Theorem 3). The potential problem is that the algo- 
rithm may generate at most 2” counters, and this potentially threatens practicality of 
our matching algorithm. 


10 We did not parse 38558 regexes since their syntax was broken or contained some advanced 
features we do not support. 
11 926 regexes contain nested counting and 25297 regexes contain small upper bounds. 
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First, it should be noted that the m in the exponent can be decreased from the size of 
the entire regex to the size of the counted sub-expression, which is usually very small. 
Then, although an efficient implementation is beyond the scope of this paper and we 
are leaving it as a future work, we give some indirect arguments for practicality of the 
CA-to-CSA algorithm. !? 

By the standard techniques of register allocation [1], it is possible to decrease the 
number of counters and counter assignments other than identity dramatically. In fact, 
simply eliminating needless renaming of counters and reusing the same name whenever 
possible, our algorithm creates CSA isomorphic to those of [36] when run on regexes 
handled by [36]. The work [36] already shows that simulating these CSA may be done 
efficiently and that it brings dramatic improvements over best matchers on counting- 
intensive examples. 

In our experience with hand-simulating the algorithm on practical examples, cases 
not handled by [36] do not behave much differently, and the numbers of CSA counters 
do not have a strong tendency to explode. 


9 Conclusions 


We have extended the regex matching algorithm of [36] and shown that the extended 
version allows fast pattern matching of so-called synchronising regexes, a class of 
regexes that we have newly introduced. The class of synchronising regexes significantly 
extends all previously known classes of regexes that allow fast matching and covers a 
majority of regexes appearing in practice (wrt. our empirical study). 

In the future, we plan to study extensions of the presented techniques to regexes with 
nested counting (non-flat). This will probably require a more sophisticated alternative 
of the offset-list data structure for sets, capable of storing relations of numbers. An 
interesting question is also how and when regexes can be rewritten to a synchronizing 
form and for what cost. 
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Abstract. Active automata learning has been a successful technique 
to learn the behaviour of state-based systems by interacting with them 
through queries. In this paper, we develop a compositional algorithm 
for active automata learning in which systems comprising interleaving 
parallel components are learned compositionally. Our algorithm auto- 
matically learns the structure of systems while learning the behaviour 
of the components. We prove that our approach is sound and that it 
learns a maximal set of interleaving parallel components. We empirically 
evaluate the effectiveness of our approach and show that our approach 
requires significantly fewer numbers of input symbols and resets while 
learning systems. Our empirical evaluation is based on a large number of 
subject systems obtained from a case study in the automotive domain. 


1 Introduction 


Active automata learning has been successfully used to learn models of complex 
industrial systems such as communication- and security protocols [11], biometric 
passports [2], smart cards [1], large-scale printing machines [33], and lithogra- 
phy machines for integrated circuits [32,15]; we refer to the recent survey by 
Howar and Steffen on the practical applications of active automata learning 
[16]. Throughout these applications of automata learning, scalability issues have 
been pointed out [32,15]. It has also been suggested that compositional learning, 
i.e., learning a system through learning its components, is a promising approach 
to tame the complexity of learning [10,12]. 

Some early attempts have been recently made in learning structured models 
of systems [27,10] (we refer to the Related Work for an in-depth analysis). For 
example, the approach proposed by al-Duhaiby and Groote [10] decomposes 
the learning process into learning its parallel components; however, it relies on 
a deep knowledge of the system under learning, and the intricate interaction 
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a/0 b/1 a/0 
/1 


c/1 
(a) (b) (c) 


Fig. 1: (a) Initial system with two concurrent FSMs (b) Partition the input al- 
phabet to 4 elements and learn each component individually (c) Use the counter- 
example ab to merge two components 


of the various actions being learned. In this paper, we propose an approach 
based on Dana Angluin’s celebrated L* algorithm [6], to learn the components 
of a system featuring an interleaving parallel composition. Our approach, called 
CL*, does not assume any pre-knowledge of the structure and the alphabet 
of these components; instead, we learn this information automatically and on- 
the-fly, while providing a rigorous guarantee of the learned information. This 
is particularly relevant in the context of legacy and black-box systems where 
architectural discovery is challenging [8,22]. 


The gist of our approach is to learn the System Under Learning (SUL) in 
separate components with disjoint alphabets. We start with a partition compris- 
ing only singleton sets. The interleaving parallel composition of the components 
gives us the total behavior of the system. We pass the result to the teacher, and 
by exploiting the counter-examples returned, we iteratively merge the alphabet 
of the individual components. 


Example. Figure 1(a) shows an example of two parallel Finite State Machines 
(FSMs) over the input alphabet {a,b,c,d} and output alphabet {0,1}. We start 
by partitioning the alphabet into disjoint singleton sets of elements. The parallel 
composition of the 4 learned FSMs of Figure 1(b) does not comply with the 
original system, and the teacher may return the counter-example ab. The string 
ab generates the output sequence 10 in (a) but the output sequence in (b) is 
11. The counter-example suggests to merge the sets {a} and {b} and restart the 
learning process which leads to the FSMs in Figure 1(c). One further merging 
step results in learning the original system. We provide a theoretical proof of 
correctness of this compositional construction, meaning that it is guaranteed to 
construct a correct system. 


To study the effectiveness of our approach in practice, we designed an em- 
pirical experiment to investigate the following two research questions: 


Compositional Learning for Interleaving Parallel Automata 415 


RQ1 Does CL* require fewer resets, compared to L*? 
RQ2 Does CL* require fewer input symbols, compared to L*? 


Our research questions are motivated by the following facts: 1) Resets are a 
major contributing factor in learning practical systems as they are immensely 
time- and resource consuming [31]. Hence, reducing the number of resets can have 
a significant impact in the learning process. 2) The total number of symbols used 
in interacting with the system under learning provides us with a total measure of 
cost for the learning process and hence, reducing the total cost is a fair indicator 
of improved efficiency [36,9]. 

To answer these questions, we use a benchmark based an industrial auto- 
motive system. We design a number of experiments on learning various combi- 
nations of components in this system, gather empirical data, and analyse them 
through statistical hypothesis testing. Our results indicate that our composi- 
tional approach significantly improves the efficiency of learning compared to 
the monolithic L* learning algorithm. The implementation of the algorithm, 
experiments, and their results can be found on-line in our lab package [23] 
(https: //github.com/faezeh-1bf/CL-Star). 

The remainder of this paper is organised as follows. In Section 2, we review 
the related work and position our research with respect to the state of the art. 
In Section 3, we present the preliminary definitions that are used throughout 
the rest of the paper. In Section 4, we present our algorithm and its proof of 
correctness and termination. We evaluate our algorithm on a benchmark from 
the automotive domain in Section 5. We conclude the paper and present the 
directions of our ongoing and future research in Section 6. 


2 Related Work 


Active automata learning is a technique used to find the underlying model of 
a black box system by posing queries and building a hypothesis in an iterative 
manner. There is substantial early work in this domain, e.g., under the name 
system identification or grammar inference; we refer to the accessible introduc- 
tion by Vaandrager [36] for more information. A seminal work in this domain is 
the L* algorithm by Dana Angluin [6], which comes with theoretical complexity 
bounds for the learning process using a representation called the “Minimally 
Adequate Teacher” (MAT). 

MAT hypothesises a teacher that is capable of responding to membership 
queries (MQs) and equivalence queries (EQs); the former checks the outcome of a 
sequence of inputs (e.g., with their respective outputs, or with their membership 
in the language of the automaton) and the latter checks whether a hypothesised 
automaton is equivalent to the system under learning. Our work replaces a single 
MAT with multiple MATs that can potentially run in parallel and learn different 
components of the black-box system automatically. 

Learning structured systems and in particular, compositional learning of par- 
allel systems has been studied recently in the literature. Moerman [27] proposes 
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an algorithm to learn parallel interleaving Moore machines. Our algorithm dif- 
fers from Moerman’s algorithm in that in the parallel composition of Moore 
machines, the output of each individual component is explicitly specified, be- 
cause the output of the system is specified as a tuple of the outputs of its com- 
ponents. In other words, the underlying structure is immediately exposed by 
considering the type of outputs produced by the system under learning. How- 
ever, in our approach, we need to identify the components and assign outputs to 
them on-the-fly since the decomposition is not explicit in parallel composition. 
Al-Duhaiby and Groote [10] learn parallel labelled transitions systems with the 
possibility of synchronisation among them. In order to develop their algorithm, 
they assume a priori knowledge of mutual dependencies among actions in terms 
of a confluence relation. This type of information is difficult to obtain and the 
domain knowledge in this regard may be error prone. Particularly for legacy and 
large black-box systems (e.g., binary code), architectural discovery has proven 
challenging [8,22]. We address this challenge and go beyond the existing ap- 
proaches by learning about confluence of actions on-the-fly through observing 
the minimal counter-examples generated by the MAT(s). 


Frohme and Steffen [12] introduce a compositional learning approach for 
Systems of Procedural Automata [13]; these are collections of DFAs that may 
“call” each, akin to the way non-terminals may be used in defining other non- 
terminals in a grammar. Their approach is essentially different from ours in that 
the calls across automata are assumed to be observable and hence the general 
structure is assumed to be known; in our approach, we learn the structure by 
observing implicit dependencies among the learned automata through analysing 
counter-examples. Also their approach is aimed at a richer and more expressive 
type of systems, namely pushdown systems, which justifies the requirement for 
additional information. 


L* has been improved significantly in the past few years; the major improve- 
ments upon L* can be broadly categorised into three categories: 1) improving the 
data structures used to store and retrieve the learned information [21,31,19,37]; 
2) improving the way counter-examples are processed in refining the hypothesis 
[31,28,3,17]; 3) learning more expressive models, such as register- [18,14] and 
timed automata [34,5]. This third category of improvements is orthogonal to our 
contribution and extension of our approach can be considered in those contexts 
as well. 


Two notable recent improvements, in the first two categories, are L# [37] and 
LÀ [17], respectively. L# uses the notion of apartness to organise and maintain 
a tree-shaped data-structure about the learned automaton. L* uses a search- 
based method to incorporate the information about the counter-example into 
the learned hypothesis. The improvements brought about by Là can be readily 
incorporated into our approach, particularly since our approach relies on finding 
minimal counter-examples. Integrating our approach into L# requires a more 
careful consideration of maintaining and composing tree-shaped data structures 
when detecting dependencies. We expect that both of these combinations will 
further improve the efficiency of our proposed method. 
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3 Preliminaries 


In this section, we review the basic notions used throughout the remainder of 
the paper. We start by formalising the notion of a finite state machine, which 
is the underlying model of the system under learning and move on to paral- 
lel composition and decomposition (called projection) as well as the concept 
of (in)dependent actions, which are essential in identifying the parallel compo- 
nents. Finally, we conclude this section by recalling the basic concepts of active 
automata learning and the L* algorithm. 


3.1 Finite State Machines (FSMs) 


Finite state machines (also called Mealy machines), defined below, are straight- 
forward generalisations of finite automata in which the transitions produce out- 
puts (rather than only indicating acceptance or non-acceptance): 


Definition 1. (Finite State Machine) A Finite State Machine (FSM) M is a 
sixtuple (S, 89,1,O,6,) where : 


— Sis a finite set of internal states, 

— so € S is the initial state, 

— Iis a set of actions, representing the input alphabet, 
— O is the set of outputs, 

—6:SxI-S is a total state transition function, 
—2A:SxI—- O is a total output function. 


An FSM starts in the initial state sọ and accepts a word (a sequence of 
actions of its input alphabet) in order to produce an equally-sized sequence of 
outputs. State transition- ô and output function A determine the next state and 
the output of an FSM upon receiving a single input. For each s,s’ € S,i€ J, 
and o € O, we write s Hf when 6(s,7) = s’ and A(s, i) =o. 

State transitions are extended inductively from a single input i € J, to a 
sequence of inputs w € I*, i.e., we define 0(s,¢) = s and A(s,e) = e where e is 
the empty sequence; and for s € S,w € I*, and a € I, we have 6(s,wa) = 
6(d(s,wa),a) and A(s,wa) = A(s,w)A(d(s,w), a), where juxtaposition of se- 
quences denotes concatenation. For the sake of conciseness, we write d(w) and 
A(w) instead of 5(s9,w) and A(so, w). 

In much of the literature in active learning, the system under learning is as- 
sumed to be complete and deterministic and we follow this common assumption 
in Definition 1 by requiring the state transition and output relations to be total 
functions. While the determinism assumption is essential for our forthcoming re- 
sults to hold, we expect that the existing recipes for learning non-deterministic 
state machines can be made compositional using a similar approach as ours. 
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3.2 (De)Composing FSMs 


Our aim is to produce a compositional learning algorithm for systems composed 
of interleaving parallel components, defined below. Due to the interleaving na- 
ture of parallel composition and determinism of the system under learning, the 
alphabets of these components are assumed to be disjoint. 


Definition 2. (Interleaving Parallel Composition) For two FSMs M; = 
(Si, So;, li, Oi, ôi, Ai), with i € {0,1}, where Io N Iı = 0, the interleaving par- 
allel composition of Mo and Mı, denoted by Mo || Mı, is an FSM defined as 


(So x S1, (S00; S0: ), To U L1, Oo U O1, 6, A) 


where ô and X are defined by 


_ f (o(so,a), sı) if a € Io, A _ J ào(s0,a) ifa € Io, 
asosan) ra= { (so, 61(s1,a)) otherwise, and a Ai (81,4) otherwise. 


For so € So, sı E Sı, anda E oU h 


Next, we define the notions of projections for FSMs and for words; these no- 
tions are further used in the notion of (in)dependence and eventually in our proof 
of correctness to establish that the composed system has the same behaviour as 
the composition of the learned components. 


Definition 3. (Projection of an FSM) The projection of an FSM M = 
(S,so, 1,0,8, À) on a set of inputs I’ C I denoted by P(M,T'), is an FSM 
(S, so, I’, O’, 8, A"), where 


— 0'(s,a) = 6(s,a) fora Ee T, 
— X'(s,a) = X(s,a) fora € T', and 
— O' = {o € O | Ja € T’. Js € S. X(s,a) = o}. 


Definition 4. (Projection of a word) The projection of a word w € I* on a set 
of inputs I' C I, denoted by Pr (w), is inductively defined as follows: 


Pr (€) = €, 


= aPr (u) ifael', 
ae f (u) otherwise. 


Definition 5. (Projection of an output sequence) The projection of the output 
sequence W = 01 ...On with respect to an equally-sized sequence of inputs v = 
i1,... În € I* and a subset of inputs I' C I, denoted by Pr(w,v), is defined as 
follows: 


Pr (€,€) = €, 


; 1 
Pr (ow, av) := a (oai eer, 


Pyr(w,v) otherwise. 
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Definition 6. ((In)Dependent Actions) Consider an FSM M with a set of inputs 
I. The subsets Ip, ..., In C I form an independent partition of I when for any 
u € I*, XP(M,Io)||...||P(M,1n) (U) = Am (u). Two inputs io,t, € I are independent 
when they belong to two distinct subsets of an independent partition. Two input 
actions are dependent, when they are not independent. 


Example. The partition { {a}, {b}, {c,d}} in Figure 1(a) is not an independent 
partition because Àm (ab) = 10 but P(M,{a})|| P(M,{b})|| P(M,{¢,d}) (ab) =11. 

It immediately follows from Definition 6 and associativity of parallel compo- 
sition (with respect to trace equivalence) that any coarser partitioning based on 
an independent partition is also an independent partitioning; this is formalised 
in the following corollary. 


Corollary 1. By combining two or more sets of an independent partition, the 
resulting partition remains independent. 


Moreover, it holds that any smaller subset of an independent partitioning is 
also an independent partitioning of the original state machine projected on the 
alphabet of the smaller subset, as specified and proven below. 


Lemma 1. Consider an independent partition Ip,...,In of inputs I for an 
FSM M; then for K C {0,...,n}, {i | i € K} is an independent partition 
for P(M, Uiex i))- 


Proof. Consider any subset K C {0,...,n} and {J; | i € K} and consider any 
input sequence u € (U;ex% Ji)*. Since u does not contain a symbol that is in any 
I; for j ¢ K, we have that Àlex P(M,I;) (U) = AP(M,Io)||--.[|P(M,In) (U). Since 
Io,---,Jn are independent, it follows likewise that Apcar.1)\|...\|P(MIn)(U) = 
Am(u). Using again that u has no symbol in any J; for j ¢ K, we know that 
Am (u) = APM jeg (li) (u). Hence, Alier PMT) (U) = AP(M,U ex (i) (u), Which 
was to be shown. 

Oo 


Lemma 2. For any independent partition Ip,...,In C I, w E€ I* and0 <i<n, 
and state s it holds that Pr, (Am (s, w), w) = Apc,1,)(s, Pr, (w)). 


Proof. The proof uses induction on the length of w. Instead of proving the thesis, 
we prove the following stronger statement, which is possible because M can be 
viewed as the parallel construction of independent components. 


Pr, (Am ((S0,---8n),W),W) = Apc,1;)((S0; ...,8),), Pr, (w)) with s; = s4. 


Note that the lemma directly follows from this. Below we write s for s9,..., Sn, 
and likewise for s’ and s”. 

The base case (|w| = 0) holds trivially as w = e. For the induction step we 
assume that the induction hypothesis holds for |w| = k and we show that it 
holds for w’ = aw for arbitrary a € I. 
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We first consider the case where a ¢ I;. We derive 


Pr, (Am (s, aw), aw) = Pr,(Am(s,@)Am(0(s,a),w),aw) Definition 1 


= Pr, (Am (0(s, a), w), w) Definition 5. 
= \p(m,r) (S, Pr, (w)) Induction hypothesis. 
= Apca,1)(8", Pr, (aw)) Definition 4. 


By construction the i-th state in 6(s,a) is equal to s; as a ¢ I;. Hence, using the 
induction hypothesis, s; = s;. By definition s’ = 6(s’’,a) and hence, s}? = s; = s; 
as we had to show. 

The other case we must consider is a € J;. Again the derivation is straight- 
forward. 


Pr, (Am (s, aw), aw) = Pr, (Am(s, a)Am(0(s, a), w), aw) Definition 1 
= Am(s, a)Pr, (Au (d(s, a ) ) Definition 5. 
= Am(s',4)Apcu1,)(5(s’, a), Pr,(w)) Induction hypothesis. 


= APM, 1) (8; Pi: (aw)) Definition 4. 


Using the induction hypothesis it follows that s; = s, which concludes the 
proof. E 


3.3 Model Learning 


Active model learning, introduced by Dana Angluin, was originally designed to 
formulate a hypothesis # about the behavior of a System Under Learning (SUL) 
as an FSM. Model learning is often described in terms of the Minimally Adequate 
Teacher (MAT). In the MAT framework, there are two phases: (i) hypothesis 
construction, where a learning algorithm poses Membership Queries (MQ) to 
gain knowledge about the SUL using reset operations and input sequences; and 
(ii) hypothesis validation, where based on the model learned so far, the learner 
proposes a hypothesis # about the “language” of the SUL and asks Equivalence 
Queries (EQ) to test it. The results of the queries are organised in an observation 
table. The table is iteratively refined and is used to formulate #7. 


Definition 7. (Observation Table) An observation table is a triple (S,E,T), 
where S C I* is a prefiz-closed set of input strings (i.e., prefixes); E C I* is a 
suffix-closed set of input strings (i.e., suffixes); and T is a table where rows are 
labeled by elements from SU(S.I), columns are labeled by elements from E, such 
that for all pre € SU (S.I) and suf € E, T(pre, suf) is the SUL’s output suffix of 
size |suf| for the input sequence pre. suf. 


The L* algorithm initially starts with S only containing the empty word e, 
and E equals set of inputs alphabet I. Two crucial properties of the observation 
table, closedness and consistency, defined below, allow for the construction of a 
hypothesis. 
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Definition 8. (Closedness Property) An observation table is closed iff for all 
w E€ S.I there is aw!’ € S that for all suf € E, T(w, suf) = T(w’, suf) holds. 


Definition 9. (Consistency Property) An observation table is consistent iff for 
all pre,, preg E€ S, if for all suf € E, T(pre,, suf) = T (pres, suf), it holds that 
T(pre,.a, suf) = T(prey.a, suf) for alla € I, suf € E. 


MQs are posed until these two properties hold, and once they do, a hypothe- 
sis # is formulated. After formulating #, L* works under the assumption that 
an EQ can return either a counter-example (CE) exposing the non-conformance, 
or yes, if # is indeed equivalent to the SUL. When a CE is found, a CE pro- 
cessing method adds prefixes and/or suffixes to the observation table and hence 
refines #. The aforementioned steps are repeated until EQ confirms that # 
and SUL are the same. In between MQs, we often need to bring the FSM back 
to a known state; this is done through reset operations, which are one of our 
metrics for measuring the efficiency of the algorithm. EQs are posed by run- 
ning a large number of test-cases and hence they are (two- to three) orders of 
magnitude larger than MQs. These test cases are generated through a random- 
walk of the graph or through a deterministic algorithm that tests all states 
and transitions for a given fault model. Two examples of deterministic test-case 
generation algorithms are the W- and WP-method [7]. It appears from recent 
empirical evaluations that for realistic systems deterministic equivalence queries 
are not efficient [4]. 

Since we are going to be learning the system in terms of components with 
disjoint alphabets, we define the following projection operator that removes all 
the transitions that are not in the projected alphabet. Our compositional learn- 
ing algorithm basically learns a black-box with respect to its projection on the 
actions available in each purported component. 


Definition 10. (L* with projected alphabet) Given an SUL M = (S, so, I, O, ô, A) 
and I' C I, L*(M,T) returns P(M,I') by running algorithm L* with projected 
alphabet I’ on M. 


4 Compositional Active Learning 


In this section, we present an algorithm that learns the SUL in separate compo- 
nents and uses the interleaving parallel composition of the learned components 
to reach the total behavior of the system. Each component has an input alphabet 
I;, which is disjoint from the alphabet of all the other components. The set of 
the input alphabets of components J” = {I,, ..., In} is a partition of the total 
system’s input alphabet. The main idea is to find an independent partitioning 
IF. To reach such a partitioning, we start with a partition with singleton sets 
and iteratively merge those sets that are found to be dependent on each other. 
Then for J; € I”, we learn the SUL with the projected alphabet J;, and compute 
the product of the obtained components with interleaving parallel composition. 
The result is equivalent to the SUL if J” is an independent partition. 
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Algorithm 1: Compositional Learning Algorithm (CL*) 
Result: # 
Input: J” = {h,..., In}, M 
H + LearnInParts(M, I”) 
eq +— EQUIVALENCE-QUERY(#”, M) 
while eq 4 yes do 

CE < eq 

D + InvolvedSets(CE, I”) 

I” + Composition(I" , D) 

H + LearnInParts(M, I") 

eq +— EQUIVALENCE-QUERY(#, M) 
end 
return #, IF 


oo N Oak WHY Be 


m. m 
e O 


Definition 11. (LearnInParts) The LearnInParts function gets M = 
(S,so, I, O,8, A) and the partition I” = {1, ..., In} of I and returns the in- 
terleaving parallel composition of the learned components. 


LearnInParts( M, I®) = L*(M, 1) || ...|| L*(M,In). 
Definition 12. (Composition) Given a partition IP = {I,,..., In} and D C 
{1,...,n}, the Composition of I€ over D merges all the I; (i€ D) in IF. 
Composition(I", D) = (I" \ {ili e DJ UL Gi}. 
i€D 


Example. If I” = {{a}, {b}, {c}, {d}} and D = {1,3, 4}, then Composition(I* , D) 
= {{a, c, d}, {b}}. 
Definition 13. (InvolvedSets) The function InvolvedSets gets a counter-example 


CE and a partition I* = {I,,..., In} and returns indices of the sets in IF that 
contains at least one character of CE: 


InvolvedSets(CE, I") = {j | I; € 1%, Ji CE[i] € L}, 


where the i” character of CE is denoted by by CE[i]. 


The function InvolvedSets allows us to detect some dependent sets by using a 
minimal counter-example since all actions in the counter-example are dependent, 
as we prove in Theorem 2. 

Algorithm 1 shows the pseudo-code of the compositional learning algorithm. 
Initially the algorithm is called with the singleton partitioning I” of the al- 
phabet J and the SUL M, i.e., if the input alphabet is J = {a1,a,...,an}, 
then the initial partition of the alphabet will be I” = {{a1}, {az2},..., {an}}. 
The LearnInParts method on line 2 learns each of the components given the 
corresponding alphabet set using the algorithm L* and returns the interleaving 
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parallel composition of the learned components. If the oracle (MAT) returns 
yes for the equivalence query regarding hypothesis .#, the algorithm terminates 
and returns #. Otherwise an(other) iteration of the loop is performed. The 
InvolvedSets method in line 6 extracts the dependent sets from the counter- 
example returned by the oracle; subsequently, Composition merges those sets 
into one. The LearnInParts method in line 8 is run again and the loop continues 
until the correct hypothesis is learned. We assume that the oracle always returns 
a minimal counter-example; this assumption is used in the proof of soundness 
(Theorem 2). 


4.1 Termination Analysis 


To prove the termination of our algorithm, we start with the following lemma 
which indicates how the counter-example is used to merge the partitions. 


Lemma 3. Let I® = {I,,...,Im} be a partition of the system’s input alphabet. 
If the teacher responds with a counter-example CE, then there are at least two 
actions u € I;,v € Ij in CE such that AL; A Li, Lj € IF. 


Proof. We prove this by contradiction. Suppose CE consists of actions that all 
belong to J;. Let Ci = L*(M, IL) with output function A¢c,. Since the output of 
L* is always the correctly learned FSM of the SUL, Am (CE) = Ac, (CE). Also, 
since C; is a component of # produced by LearnInParts, Ax (CE) = Ac, (CE) 
based on Definition 2. This means CE can not be a counter-example. | 

The next lemma uses Lemma 3 to show how counter-examples will ensure 
progress in the algorithm, eventually guaranteeing termination. 


Lemma 4. At each round of the algorithm CL*, \I*| decreases by at least 1. 


Proof. By Lemma 3, at each round of the algorithm, at least two dependent sets 

are found by InvolvedSets, and the algorithm merges these dependent sets into 

a single set. Thus the size of the partition decrements by at least one; hence, the 

lemma follows. | 
Now we have the necessary ingredients to prove termination below. 


Theorem 1. The Compositional Learning Algorithm terminates. 


Proof. Assume, towards contradiction, that the algorithm does not terminate. 
Let I be the alphabet, an IF be the partition of I after the kt” round of 
the algorithm. By Lemma 4, after at least k = |Z| — 1 rounds, |F| = 1. 
Also by the assumption, the algorithm has not terminated at round k. Since 
If = I, the algorithm reduces to algorithm L* which terminates. Hence, the 
contradiction. a 

We prove next that every time we merge two partitions, there is a sound 
reason (i.e., dependency of actions) for it. 


Theorem 2. Let CE be the minimal counter-example returned by the oracle at 
round k of the algorithm and I¥ = {I,,...,In} the partition of the alphabet at 
the same round. Then, all actions in CE are dependent. 
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Proof. Let CE = wa, w € I* anda € I, and d = {d,,...,dm} be an in- 
dependent partition for the SUL M. Assume some actions in w are indepen- 
dent from a (proof by contradiction). Let dp be the set in d that includes a. 
The set I \ dy contains all the independent actions from a. For M, we define 
Om = Pa,(Am(wa)); according to Lemma 2, Om = Ap(m,a,)(Pa,(wa)). The 
algorithm makes the hypothesis # = P(M, ÅL )||...||P(M, In) at the current 
round k. Since d; is the union of a subset of I” (algorithm has not terminated 
yet), Ov = Pua, (Axe(wa)) = APH an) (Pay, (wa)). If Ox # Om, then Pa, (wa) is 
a smaller counter-example than wa, which is a contradiction. Otherwise if Ov = 
Om, given that wa is a counter-example, Pra, (Am (wa)) # Pra, (Ase (wa)); if 
so, Pra, (wa) is a smaller counter-example, hence the contradiction. | 

By Theorems 2 and 1, we have shown that the algorithm detects the indepen- 
dent action sets and eventually terminates. The next theorem is formulated to 
show that it terminates as soon as all dependent action sets have been detected. 


Theorem 3. Let I” = {lh,...,In} be an independent partition of the alphabet 
at round k. The algorithm terminates in this round. 


Proof. We prove this by contradiction. Assume that the algorithm does not 
terminate, and CE is the minimal counter-example returned by the oracle. By 
theorem 2, InvolvedSets returns two or more dependent sets from J”. Since all 
the elements in J’ are pairwise independent, we confront the contradiction. W 


4.2 Processing Counter-examples 


As mentioned in Theorem 2, we require all the actions in a minimal counter- 
example returned by the oracle to be dependent. However, most equivalence 
checking methods do not find the minimal counter-example. For a non-minimal 
counter-example, we define a process called “distillation”, which asks a number 
of extra queries to find the dependent actions. It iteratively gets a subset of 
InvolvedSets(CE, I*’) in the order of their sizes and merges its members together, 
producing a set M. The algorithm introduces Py (CE) as output if it is a counter- 
example. 

Suppose CE is the counter-example returned by the oracle at round k of the 
algorithm, and J” is the alphabet partition at that round. To distill two or more 
dependent sets from CE, we follow Algorithm 2. The function CutCE on line 2 
takes a counter-example CE and returns the smallest prefix of CE, which is also 
a counter-example (i.e., the SUL and the hypothesis model produce different 
outputs for it). Then, iteratively, it gets a subset of InvolvedSets(CE, I”’) in the 
order of their sizes and merges its members together, producing set M. The 
algorithm returns Pm (CE) as output if it is a counter-example. 

The cost of CE-distillation algorithms is exponential in terms of the size of 
CE in the worst case. However, in the results section, we show that in practice, 
the cost of this part is not very significant compared to the total cost of learning. 


Theorem 4. All actions in the output of the CE distillation algorithm are de- 
pendent. 


The proof is omitted as it is similar to the proof of Theorem 2. 
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Algorithm 2: CE distillation 
Result: CEm 

1 Input: 1” = {h,...,I,}, CE, M, #@ 

2 CE 4+ CutCE(CE) 

3 D + InvolvedSets(CE, I”) 

4 for k € {2,...,size(D)} do 


5 C + all k combinations(D) 
6 while C is not empty do 
7 I + C.pop 
8 A +} Uier li 
9 CEA < P4 (CE) 
10 if CE4 is a counter-example then 
id | Return CE, 
12 end 
13 end 
14 end 


5 Empirical Evaluation 


In this section, we present the design and the results of the experiments carried 
out to evaluate our approach, in order to answer the following research questions: 


RQ1 Does CL* require fewer resets, compared to L*? 
RQ2 Does CL* require fewer input symbols, compared to L*? 


As stated in Section 1, these two research questions measure the efficiency 
of a learning method in a machine-independent manner: the number of input 
symbols summarises the total cost of a learning campaign, while the number of 
resets summarises one of its most costly parts. Note that although active learning 
processes are structured in terms of queries, the queries used in the processes 
have vastly different lengths and it has been observed earlier that the total 
number of input symbols is a more accurate metric for comparison of learning 
algorithms than the number queries [36]. 


5.1 Subject Systems 


A meaningful benchmark for our method should feature systems of various state 
sizes and various numbers of parallel components and with a non-trivial structure 
that may require multiple learning rounds. Also, we would like to have realistic 
systems, so that our comparisons have meaningful practical implications. 

To this end, we choose the Body Comfort System (BCS) [25], which is an 
automotive software product line (SPL) of a Volkswagen Golf model. This SPL 
has 27 components, each representing a feature that provides specific functional- 
ity. The transition system of each component is provided in a detailed technical 
report [24]. We use the finite state machines of the components constructed from 
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the transition system representations in [35] and compose several random sam- 
ples utilising the interleaving parallel composition (Definition 2) to build the 
product FSMs. We automatically constructed 100 FSMs consisting of a mini- 
mum of two and a maximum of nine components in this case study. The maxi- 
mum number is chosen due the performance limits of L*; beyond this limit, our 
learning campaign for L* could take more than four hours. All experiments were 
conducted on a computer with an Intel® Core™ M-5Y10c CPU and and 8GB of 
physical memory running Ubuntu version 20 and LearnLib version 0.16.0. Our 
subject systems have a minimum of 300 states and a maximum of 3840 states, 
and their average number of states is 1278.2 with a standard deviation of 847. 
We started the calculation of the metrics for subject systems of at least 300 
states, since for small subject systems, the advantage of compositional learning 
is not significant. 


5.2 Experiment Design 


To answer the research questions, we implemented the compositional learning 
algorithm on top of the LearnLib framework [30]. This implementation uses 
the equivalence oracle in two places; to learn projections in the LearnInParts 
function and to check the hypothesis/SUL equivalence. The performance of the 
algorithm significantly relies on the type of equivalence queries used by the un- 
derlying L* algorithm. We experimented with a number of equivalence methods 
and settled upon using random walks; when using deterministic algorithms such 
as the WP- and the WP-method, for large systems, the cost of equivalence 
queries becomes prohibitively high and obscures any gain obtained from com- 
positionality. To ensure that our results are sound, we have carried out similar 
experiments by using an additional deterministic equivalence query at the end 
of the learning campaign, when the last random equivalence query does not re- 
turn any counter-example. This additional step verifies our comparisons when 
an assurance about the accuracy of the learning process is required. More details 
about these additional experiments can be found in our public lab package [23] 
(https: //github.com/faezeh-1bf/CL-Star). 

We enabled caching, since caching significantly reduces repetitive queries. We 
repeat each learning process three times, comparing the number of resets and 
input symbols for L* and CL*. 

In addition to reporting the median metrics, their standard deviations, and 
the relative percentage of improvements, we use the statistical T-test to answer 
the research questions with statistical confidence and report the p-values. We 
analyse the distribution of the results and establish their normality using K- 
tests. We use the SciPy [20] library of Python to perform statistical analysis and 
Seaborn [38] for visualising the results. 


5.3 Results 


In this section, we first present the results of our experiments and use them to 
answer our research questions. Then we show how the number of components in 
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an FSM affects the efficiency of our algorithm. Finally, we discuss threats to the 
validity of our empirical results. 
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Fig. 2: The total number of input symbols and resets in the CL* and L* methods 


We cluster the benchmark into eight categories based on the FSM’s number of 
states and illustrate the distribution of input symbols and resets for each cluster 
in Figure 2. In this figure, the CL* and L* methods are compared based on the 
metrics mentioned. The scale of the x-axis (the value of metrics) is logarithmic. 

Tables 1 and 2 summarise the results of our experiments. For each category, 
we calculate the median and standard deviation of our metrics (the number of 
input symbols and resets) both for L* and CL*. The metric “progress percentage” 
is defined to measure the improvement brought about by compositional learning 
(compared to L*). For each metric, the progress percentage is calculated as (1 — 
P) x100, where p and q are the value of that metric in CL* and L*, respectively. 
A positive progress percentage in a metric shows that the CL* is more efficient 
in terms of that metric. To measure the statistical significance, we used the one- 
sided paired sample T-test to check if there was a significant difference (p < 0.05) 
between the metrics in the two algorithms. 


Table 1: Comparing the total number of input symbols in the CL* and L* meth- 
ods 


States L* method CL* method Progress p-value 
Median [Standard deviation] Median |Standard deviation|percentage] (one-sided paired T-test) 

(300, 600] 1443710 2834380.581 1329818 2382620.467 14.47 7.43e-3 
(600, 900] 4013396 6262292.443 1716878.5 4408369.926 36.44 1.54e-8 
(900, 1200] | 6387472 6663334.645 1714934.5 3757307.024 52.37 8.36e-7 
(1200, 1500]| 6259466 9311767.302 1576494 4798094.639 57.28 6.49e-4 
(1500, 1800]| 9700935 10726103.24 4498072 5576873.639 54.58 4.30e-4 
(1800, 2100]| 11070428 5310108.013 1649557 13958718.62 37.51 2.96e-2 
(2100, 2400]} 15348181 6287714.182 1888226 4215184.514 70.80 1.80e-10 
(2400, 3840]/24700222.5 14837416.08 4385086 13817389.06 68.42 2.66¢e-12 
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Table 2: Comparing the total number of resets in the CL* and L* methods 


“States L* method CL* method Progress p-value 
Median |Standard deviation] Median |Standard deviation|percentage] (one-sided paired T-test) 
(300, 600] 157971 65257.85738 10433 28259.60196 90.46 1.05e-33 
(600, 900] [425260.5 77944.01883 16808 56274.51558 86.33 1.07e-43 
(900, 1200] |501347.5 147915.8363 13109 50224.87222 90.87 3.80e-16 
(1200, 1500]} 712999 136904.04 12811 60125.8884 91.77 4.18e-13 
(1500, 1800]| 823482 275862.8299 48344 80507.59837 91.73 4.97e-13 
(1800, 2100]} 1262025 188390.1181 12412 369932.964 84.07 2.18e-06 
(2100, 2400]| 1412237 220211.8459 15042 53006.08784 95.83 2.44e-14 
(2400, 3840] 1900234 427883.9888 46624.5 201052.8807 94.67 2.20e-23 


Both Tables 1 and 2 indicate major improvements, particularly for large 
systems, in terms of the total number of input symbols and resets, respectively. 
Compositional learning reduces the number of symbols up to 70.80 percent and 
the number of resets up to 95.83 percent. The statistical tests also confirm this 
observations and the p-values obtained from the tests are in all cases very low; 
in case of the number of input symbols the p-values range from 1072 to 10712, 
while for resets they range from 107° to 10743, which are well-below the usual 
statistical p-values (0.05) and represent a very high statistical significance. 
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Fig. 3: The diagrams of improvement brought about by compositional learning 
vs. size of the SUL in terms of number states (left) and components (right). 


The plots in Figure 3 visualise the improvements brought about by compo- 
sitional learning. This plot demonstrates that the saving due to compositional 
learning increases as the number of components in SULs increases. We further 
analysed the trends of our measured metrics in terms of the number of states 
and the number of parallel components. These trends are depicted for the total 
number of input symbols in Figure 4 and for the number of resets in Figure 5, 
respectively. These figures indicate that the increase of both metrics with the 
number of states is more moderate for the compositional learning approach, i.e., 
compositional learning is more scalable. More importantly, the right-hand-side 
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Fig. 4: The effect of FSM sizes in terms of the number of components and states 
on the total number of input symbols. 


of both figures signifies the effect of compositional learning when the number of 
parallel components increases while the number of states remains fixed. 

Figure 6 shows the effect of the number of components on the total number 
of input symbols for a fixed state-space size for algorithms L* and CL*. In this 
plot, as the number of components increases, the corresponding dot will become 
darker and larger. According to this figure, the learning cost is lower for SULs 
with more components in both L* and CL*. Still, for CL* (the right side), the 
cost of learning SULs with more components is significantly lower because we 
structurally learn these components essentially independently. 

As mentioned in Section 4.2, the cost of the CE distillation process can 
increase exponentially in the size of the counter-example. However, in practice, 
it seems to be much more tractable. To evaluate this, we count the number 
of input symbols required by the CE distillation process to learn each SUL. 
The median value of this metric is 1961 input symbols, which is insignificant 
compared the total cost of learning. In fact, the cost of CE distillation process 
for each group in Table 1 is between 0.037 and 0.12 percent of the total learning 
cost; the reported total learning cost (total number of input symbols) includes 
the cost of CE distillation. 


5.4 Threats to Validity 


In this section, we summarise the major threats to the validity of our empirical 
conclusions. First, we analyse the threats to conclusion validity, i.e., whether the 
empirical conclusions necessarily follow from the experiments carried out. Then, 
we discuss the threats to external validity concerning the generalisation of our 
results to other systems. 

We mitigated conclusion validity threats by using statistical tests to ensure 
that our observations (both in terms of improvement percentages in Tables 1 and 
2 and the visual observations in Figures 2) do represent a statistically significant 
improvement. We opt for one-sided paired sample T-tests in order to minimise 
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Fig. 5: The effect of the size of FSMs in terms of the number of components and 
states on the total number of required input resets. 
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Fig.6: The relation between the total number of symbols and the number of 
states and components for the algorithms L* (left) and CL* (right). 


the threats to conclusion validity. We only conclude that the CL* is more efficient 
than the L* when there is a meaningful difference (p < 0.05) between the results 
of L* and CL*. To make sure that the chosen statistical test is applicable, we 
analysed the distribution of the data first. 


We mitigated the risk of conclusion validity by using subject systems that 
are based on practical systems rather than using randomly generated FSMs. 
However, further research is needed to analyse the performance of our approach 
based on other benchmarks from other domains. We also mitigated the effect 
of using random equivalence queries by repeating the experiments with a final 
deterministic query. 
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6 Conclusions 


In this paper, we presented a compositional learning method based on Angluin’s 
algorithm L* that detects and independently learns interleaving parallel compo- 
nents of the system under learning. We proved that our algorithm, called CL’, is 
correct and we empirically showed that it causes significant gains in the number 
of input symbols and the number of resets in a learning campaign. The gain is 
significantly increased with the number of parallel components. 

Our algorithm is naturally amenable to parallelisation and developing a 
parallel implementation is a natural next step. A more thorough investigation 
of counter-example processing in order to efficiently find a minimal counter- 
example is an area of further research, particularly, in the light of the recent 
results in this area [13]. Finding a trade-off between using deterministic and ran- 
dom (or mutation-based) equivalence queries is another area of future research. 
We would also like to investigate the possibility of developing equivalence queries 
that take the structure of the systems into account: we have observed that much 
of the effort in the final equivalence query (on the composed system) is redundant 
and the final equivalence query can be made much more efficient by only consid- 
ering the dependencies among purportedly independent partitions. Finally, ex- 
tending our notion of parallel composition to allow for a possible synchronisation 
of components is another direction of future work; we believe inspirations from 
concurrency theory and in particular, Milner and Moller’s prime decomposition 
theorem [26] may prove effective in this regard. Independently from our work, 
Neele and Sammartino [29] proposed an approach to learn synchronous parallel 
composition, under the assumption of knowing the alphabets of the components. 
This is a promising approach to incorporate synchronous parallel composition 
into our framework. 
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Abstract Pebble transducers are nested two-way transducers which can 
drop marks (named “pebbles”) on their input word. Such machines can 
compute functions whose output size is polynomial in the size of their 
input. They can be seen as simple recursive programs whose recursion 
height is bounded. A natural problem is, given a pebble transducer, to 
compute an equivalent pebble transducer with minimal recursion height. 
This problem has been open since the introduction of the model. 

In this paper, we study two restrictions of pebble transducers, that can- 
not see the marks (“blind pebble transducers” introduced by Nguyén et 
al.), or that can only see the last mark dropped (“last pebble transducers” 
introduced by Engelfriet et al.). For both models, we provide an effective 
algorithm for minimizing the recursion height. The key property used in 
both cases is that a function whose output size is linear (resp. quadratic, 
cubic, etc.) can always be computed by a machine whose recursion height 
is 1 (resp. 2, 3, etc.). We finally show that this key property fails as soon 
as we consider machines that can see more than one mark. 


Keywords: Pebble transducers - Polyregular functions - Blind pebble 
transducers - Last pebble transducers - Factorization forests. 


1 Introduction 


Transducers are finite-state machines obtained by adding outputs to finite auto- 
mata. They are very useful in a lot of areas like coding, computer arithmetic, 
language processing or program analysis, and more generally in data stream 
processing. In this paper, we consider deterministic transducers which compute 
functions from finite words to finite words. In particular, a deterministic two- 
way transducer is a two-way automaton with outputs. This model describes 
the class of regular functions, which is often considered as one of the func- 
tional counterparts of regular languages. It has been intensively studied for its 
properties such as closure under composition [5], equivalence with logical trans- 
ductions [12] or regular expressions [7], decidable equivalence problem [14], etc. 


Pebble transducers and polyregular functions. Two-way transducers can 
only describe functions whose output size is at most linear in the input size. 
A possible solution to overcome this limitation is to consider nested two-way 
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transducers. In particular, the model of k-pebble transducer has been studied 
for a long time [13]. For k = 1, a 1-pebble transducer is just a two-way transducer. 
For k > 2, a k-pebble transducer is a two-way transducer that, when on any 
position i of its input word, can call a (k—1)-pebble transducer. The latter takes 
as input the original input where position į is marked by a “pebble”. The main 
two-way transducer then outputs the concatenation of all the outputs produced 
along its calls. The intuitive behavior of a 3-pebble transducer is depicted in 
fig. 1. It can be seen as a recursive program whose recursion stack has height 3. 
The class of functions computed by pebble transducers is known as polyregular 
functions. It has been intensively studied due to its properties such as closure 
under composition [11], equivalence with logical interpretations [4], etc. 


z Input word 4 
Main machine  — 
+ 
aoe 
ie = @ Input word 4 
pebble 
Submachine called in e 
av? i 
week eee ee ee bead 
Lae e@ @ Input word 4 


pebble pebble 


Submachine called in e 


Figure 1: Behavior of a 3-pebble transducer. 


Optimization of pebble transducers. Given a k-pebble transducer com- 
puting a function f, a very natural problem is to compute the least possible 
1 < Z < k such that f can be computed by an (pebble transducer. Further- 
more, we can be interested in effectively building an ¢-pebble transducer for f. 
Both questions are open, but they are meaningful since they ask whether we can 
optimize the recursion height (i.e. the running time) of a program. 

It is easy to observe that if f is computed by a k-pebble transducer, then 
|f(u)| = O(|ul*). It was first claimed in a LICS 2020 paper that the minimal 
recursion height Z of f (i.e. the least possible Z such that f can be computed by an 
¢-pebble transducer) was exactly the least possible £ such that |f(w)| = O(|u|*). 
However, Bojariczyk recently disproved this statement in [3, Theorem 6.3]: the 
function inner-squaring : uy#---#uUn > (u1#)" --- (un#)” can be computed 
by a 3-pebble transducer and is such that |inner-squaring(u)| = O(|u|?), but 
it cannot be computed by a 2-pebble transducer. Other counterexamples were 
given in [16] using different proof techniques. Therefore, computing the minimal 
recursion height of f is believed to be hard, since this value not only depends 
on the output size of f, but also on the word combinatorics of this output. 


438 G. Douéneau-Tabot 


Optimization of blind pebble transducers. A subclass of pebble trans- 
ducers, named blind pebble transducers, was recently introduced in [17]. A 
blind k-pebble transducer is somehow a k-pebble transducer, with the difference 
that the positions are no longer marked when making recursive calls. The beha- 
vior of a blind 3-pebble transducer is depicted in fig. 2. The class of functions 
computed by blind pebble transducers is strictly included in polyregular func- 
tions [10,17]. The main result of [17] shows that for blind pebble transducers, the 
minimal recursion height for computing a function only depends on the growth 
of its output. More precisely, if f is computed by a blind k-pebble transducer, 
then the least possible 1 < £ < k such that f can be computed by an blind 
¢-pebble transducer is the least possible £ such that | f(u)| = O({ul*). 
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Figure 2: Behavior of a blind 3-pebble transducer. 


Input word 4 


Contributions. In this paper, we first give a new proof of the connection 
between minimal recursion height and growth of the output for blind pebble 
transducers. Furthermore, our proof provides an algorithm that, given a function 
computed by a blind k-pebble transducer, builds a blind -pebble transducer 
which computes it, for the least possible 1 < £ < k. This effective result is not 
claimed in [17], and our proof techniques significantly differ from theirs. Indeed, 
we make a heavy use of factorization forests, which have already been used 
as a powerful tool in the study of pebble transducers [2,8,10]. 

Secondly, the main contribution of this paper is to show that the (effective) 
connection between minimal recursion height and growth of the output also 
holds for the class of last pebble transducers (introduced in [13]). Intuitively, 
a last k-pebble transducer is a k-pebble transducer where a called submachine 
can only see the position of its call, but not the full stack of the former positions. 
The behavior of a last 3-pebble transducer is depicted in fig. 3. Observe that a 
blind k-pebble transducer is a restricted version of a last k-pebble transducer. 
Formally, we show that if f is computed by a last k-pebble transducer, then the 
least possible £ such that f can be computed by a last /-pebble transducer is 
the least possible £ such that |f(u)| = O(|u|*). Furthermore, our proof gives an 
algorithm that effectively builds a last ¢-pebble transducer computing f. 
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Figure 3: Behavior of a last 3-pebble transducer. 


As a third theorem, we show that our result for last pebble transducers is 
tight, in the sense that the connection between minimal recursion height and 
growth of the output does not hold for more powerful models. More precisely, 
we define the model of last-last k-pebble transducers, which extends last 
k-pebble transducers by allowing them to see the two last positions of the calls 
(and not only the last one). We show that for all k > 1, there exists a function 
f such that | f(u)| = O(|u|?) and that is computed by a last-last (2k+1)-pebble 
transducer, but cannot be computed by a last-last 2k-pebble transducer. The 
proof of this result relies on a counterexample presented by Bojaniczyk in [2]. 


Outline. We introduce two-way transducers in section 2. In section 3 we de- 
scribe blind pebble transducers and last pebble transducers. We also state our 
main results that connect the minimal recursion height of a function to the 
growth of its output. Their proof goes over sections 4 to 6. In section 7, we 
finally show that these results cannot be extended to two visible marks. 


2 Preliminaries on two-way transducers 


Capital letters A, B denote alphabets, i.e. finite sets of letters. The empty word 
is denoted by e. If u € A*, let |u| € N be its length, and for 1 < i < |u| let ufi] 
be its i-th letter. If i < j, we let uļi:j] be ufé]u[i+1]--- uly] (empty if j < i). 
If a € A, let |u|, be the number of letters a occurring in u. We assume that 
the reader is familiar with the basics of automata theory, in particular two-way 
automata and monoid morphisms. The type of total (resp. partial, i.e. possibly 
undefined on some inputs) functions is denoted S — T (resp. S — T). 
The machines described in this paper are always deterministic. 


Definition 2.1. A two-way transducer F = (A, B,Q,q, F, ô, A) consists of: 
— an input alphabet A and an output alphabet B; 

a finite set of states Q with qo E€ Q initial and F C Q final; 

— a transition function 6:Q x (Aw {F,4}) = Q x {4,>}; 

an output function À : Q x (AW {F, 4}) = B* with same domain as ô. 
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The semantics of a two-way transducer 7 is defined as follows. When given 
as input a word u € A*, J disposes of a read-only input tape containing Fu. 
The marks F and — are used to detect the borders of the tape, by convention we 
denote them by positions 0 and |u|+1 of u. Formally, a configuration over Fue is 
a tuple (¢q,i) where q € Q is the current state and 0 <i < |u|+1 is the position 
of the reading head. The transition relation — is defined as follows. Given a 
configuration (q,7), let (q’,*) := ô(q, u[]). Then (q,7) > (q’,i’) whenever either 
x = < and i’ = i—1 (move left), or x = > and i’ = i+1 (move right), with 
0< 7 < |u|+1. A run is a sequence of configurations (q1,71) > ++: > (dn, in). 
Accepting runs are those that begin in (qo, 0) and end in a configuration of the 
form (q,|u|+1) with q € F (and never visit such a configuration before). 

The partial function f : A* — B* computed by the two-way transducer 7 
is defined as follows: for u € A*, if there exists an accepting run on Fu, then it 
is unique, and f(u) is defined as A(q1, (Fu) [i1]) -+ A(dn, (FuT)[in]) € B*. The 
class of functions computed by two-way transducers is called regular functions. 


? 


Example 2.2. Let u be the mirror image of u € A*. Let # ¢ A be a fresh symbol. 
The function map-reverse : u1#--- #un > u1#-- #un can be computed by a 
two-way transducer, that reads each factor u; from right to left. 


It is well-known that the domain of a regular function is always a regular 
language (see e.g. [18]). From now on, we assume without losing generalities 
that our two-way transducers only compute total functions (in other words, 
they have exactly one accepting run on each Fu). Furthermore, we assume that 
A(q, F) = X(q, 4) = £ for all q € Q (we only lose generality for the image of e). 

In the rest of this section, Y denotes a two-way transducer with input alpha- 
bet A, output alphabet B and output function A. Now, we define the crossing 
sequence in a position 1 < ¿į < |u| of input Fu. Intuitively, it regroups the 
states of the accepting run which are visited in this position. 


Definition 2.3. Let u E€ A* and 1 <i < |u| . Let (q,%1) > +++ > (dn; in) be 
the accepting run of Z on Fud. The crossing sequence of F in i, denoted 
cross’>(i), is defined as the sequence (qj)1<j<n and pee 


If u : A* + M is a monoid morphism, we say that any m,m’ € M anda € A 
define a p-context that we denote by mlja]m’. It is well-known that the crossing 
sequence in a position of the input only depends on the context of this position, 
for a well-chosen monoid, as claimed in proposition 2.4 (see e.g. [7]). 


Proposition 2.4. One can build a finite monoid T and a monoid morphism 
u : A* + T, called the transition morphism of F, such that for all u € A* 
and 1 < i < |u|, cross'(i) only depends on p(u{l:i—1]), uli] and p(uli+1:|ul]). 
Thus we denote it cross g (u(u[1:i—1]) [ulé|] w(u[i+1:|ul]). 


Finally, let us define “the output produced below position 7”. 


Definition 2.5. Let u € A* and 1 <i < |u| and q---d, = cross’, (i). We 
define the production of 7 ini, denoted prods (i), as A(qı, ulil) ---A(dn, ufi]). 
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By proposition 2.4, it also makes sense to define prod z(mla]m’) € B* to be 
prod% (i) whenever m = p(u[1:i—1]), m’ = u(uļi+1:|u|]) and a = ufi]. 


3 Blind and last pebble transducers 


Now, we are ready to define formally the models of blind pebble transducers 
and last pebble transducers. Intuitively, they correspond to two-way transducers 
which make a tree of recursive calls to other two-way transducers. 


Definition 3.1 (Blind pebble transducer [17]). Fork > 1, a blind k-pebble 
transducer with input alphabet A and output alphabet B is: 
— if k = 1, a two-way transducer with input alphabet A and output B; 
— if k > 2, a tree T(B,:--,Bp) where the subtrees B,...,By are blind 
(k—1)-pebble transducers with input A and output B; and the root label 7 
is a two-way transducer with input A and output alphabet {A,..., Bp}. 


The (total) function f : A* — B* computed by the blind k-pebble transducer of 
definition 3.1 is built in a recursive fashion, as follows: 

— for k = 1, f is the function computed by the two-way transducer; 

— for k > 2, let u € A* and (q1,21) — --- > (dn, in) be the accepting run 
of 7 = (A, B,Q, qo, F,6,A) on Fud. For all 1 < j < n, let fj : A* > B* 
be the concatenation of the functions recursively computed by the sequence 
A(qj, (Fu) [t;]) € {Ai,...,Bp}*. Then f(u) := fi(u)--+ fr(u). 

The behavior of a blind 3-pebble transducer is depicted in fig. 2. 


Example 3.2. The function unmarked-square : A* > A* W{#}, ur (u#)!“! can 
be computed by a blind 2-pebble transducer. This machine has shape J (J'Y: 
J calls 7’ on each position 1 < i < |u| of its input u, and 7’ outputs u#. 


The class of functions computed by a blind k-pebble transducer for some k > 1 
is called polyblind functions [10]. They form a strict subclass of polyregular 
functions [8,10,17] which is closed under composition [17, Theorem 6.1]. 

Now, let us define last pebble transducers. They corresponds to blind pebble 
transducers enhanced with the ability to mark the current position of the input 
when doing a recursive call. Formally, this position is underlined and we define 
uei = ull] ---uli—1]u[iju[i+1]---uljul] for u € A* and 1 <i < Jul. 

Definition 3.3 (Last pebble transducer [13]). For k > 1, a last k-pebble 
transducer with input alphabet A and output alphabet B is: 
— if k = 1, a two-way transducer with input alphabet AW A and output B; 
—ifk > 2, a tree F(LZ,---,LZ,) where the subtrees Y,..., LZ, are last 

(k—1)-pebble transducers with input A and output B; and the root label 7 

is a two-way transducer with input AW A and output alphabet {.%,..., Zp}. 


The (total) function f : (AWA)* > B* computed by the last k-pebble transducer 
of definition 3.3 is defined in a recursive fashion, as follows: 
— for k = 1, f is the function computed by the two-way transducer; 
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— for k > 2, let u € A* and (q,%1) > --+ — (qn, in) be the accepting run of 
TF = (AWA, B,Q, qo, F,6,) on Fu. For all 1 < j < n, let fj : A* > B* be 
the concatenation of the functions recursively computed by A(q;, (Fu) [i;]) € 
{Li,...,LZp}*. Let r: (AW A)* > A* be the morphism which erases the 
underlining (i.e. T(a) = a), then f(u) = fi(r(u)et1) +--+ fn(r(u)ein). 

The behavior of a last 3-pebble transducer is depicted in fig. 3. Observe that our 
definition builds a function of type (AW A)* + B*, but we shall in fact consider 
its restriction to A* (the marks are only used within the induction step). 


Example 3.4 ([1]). The function square : u œ> (uel)#--- (welu|)# can be com- 
puted by a last 2-pebble transducer, which successively marks and makes recurs- 
ive calls in positions 1,2, etc. However this function is not polyblind [17]. 


We are ready to state our main result. Its proof goes over sections 4 to 6. 


Theorem 3.5 (Minimization of the recursion height). Let1<¢<k. Let 
f : A* — B* be computed by a blind k-pebble transducer (resp. by a last k-pebble 
transducer). Then f can be computed by a blind ¢-pebble transducer (resp. by a 
last ¢-pebble transducer) if and only if |f(u)| = O(|ul*). 


This property is decidable and the construction is effective. 


As an easy consequence, the class of functions computed by last pebble trans- 
ducers form a strict subclass of the polyregular functions (because theorem 3.5 
does not hold for the full model of pebble transducers [3, Theorem 6.3]) and 
therefore it is not closed under composition (because any polyregular function 
can be obtained as a composition of regular functions and squares [1]). 

Even if a (non-effective) theorem 3.5 was already known for blind pebble 
transducers [17, Theorem 7.1], we shall first present our proof of this case. Indeed, 
it is a new proof (relying on factorization forests) which is simpler than the 
original one. Furthermore, understanding the techniques used is a key step for 
understanding the proof for last pebble transducers presented afterwards. 


4 Factorization forests 


In this section, we introduce the key tool of factorization forests. Given a monoid 
morphism yp: A* > M and u € A*, a u-factorization forest of u is an unranked 
tree structure defined as follows. We use the brackets (---) to build a tree. 


Definition 4.1 (Factorization forest [19]). Given a morphism u : A* > M 
and u E€ A*, we say that F is a -forest of u if: 
— eitheru=e and F = €; or u = (a) E€ A and F =a; 
— or F = (Fi,-++ , Fn), U = u1: Un, for alll S i< n, Fi is a p-forest of 
u; E€ At, and if n > 3 then (u) = ulur) =--- = (un) is idempotent. 


We use the standard tree vocabulary of height, child, sibling, descendant and 
ancestor (a node being itself one of its ancestors/descendants), ete. We denote 
by Nodes” the set of nodes of F. In order to simplify the statements, we identify 
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a node t € Nodes* with the subtree rooted in this node. Thus Nodes? can 
also be seen as the set of subtrees of F, and F € Nodes”. We say that a node 
is idempotent if it has at least 3 children. We denote by Forests,,(w) (resp. 
Forests” (u)) the set of y-forests of u € A* (resp. ji-forests of u € A* of height at 
most d). We write Forests, and Forests of all forests (of any word). 

A p-forest of u € A* can also be seen as “the word u with brackets” in 
definition 4.1. Therefore Forests, can be seen as a language over A:= Aw{(,)}. 
In this setting, it is well-known that p-forests of bounded height can effectively 
be computed by a rational function, i.e. a particular case of regular function 
that can be computed by a non-deterministic one-way transducer (see e.g. [8]). 


Theorem 4.2 (Simon [19,6]). Given a morphism u : A* > M into a finite 


monoid M, one can effectively build a rational function forest, : A* > (A)* such 
3 


that for all u E€ A*, forest,,(u) € Forests? ™ (u). 

Building u-forests of bounded height is especially useful for us, since it enables 
to decompose any word in a somehow bounded way. This decomposition will be 
guided by the following definitions, that have been introduced in [8,10]. First, 
we define iterable nodes as the middle children of idempotent nodes. 


Definition 4.3. Let F € Forests,,(u). Its iterable nodes, denoted Iter” , are: 
— if F = la) € A or F =e, then Ilter? = Ø; 
— otherwise if F = (F,,-++ , Fn), then: 


Iter® := {F; :2 <i < n—1}U U Iter”, 
l<i<n 


Now, we define the notion of skeleton of a node t, which contains all the des- 
cendants of t except those which are iterable. 


Definition 4.4 (Skeleton, frontier). Let F € Forests, (u), t € Nodes”, we 


define the skeleton of t, denoted Skel” (t), by: 

— ift=(a) € A is a leaf, then Skel? (t) := {t}; 

— otherwise if t = (Fi,--- , Fn), then Skel? (t) := {t} U Skel? (F1) U Skel? (Fn). 
The frontier of t is the set Fr” (t) C [1:|ul] containing the positions of u which 
belong to Skel? (t) (when seen as leaves of the -forest F over u). 


Example 4.5. Let M := ({—1, 1,0}, x) and u : M* — M the product. A p-forest 
F of the word (—1)(—1)0(—1)000000 is depicted in Figure 4. Double lines denote 
idempotent nodes. The set of blue nodes is the skeleton of the topmost blue node. 


It is easy to observe that for F € Forests? (u), the size of a skeleton, or of 
a frontier, is bounded independently from F. Furthermore, the set of skeletons 
{Skel7(t) : t € Iter? U {F}} is a partition of Nodes? [8, Lemma 33]. As a 
consequence, the set of frontiers {Fr7(t) : t € Iter” U {F}} is a partition of 
[1:|ul|]. Given a position 1 < i < |u|, we can thus define the origin of i in F, 
denoted origin” (i), as the unique t € Iter? U {F} such that i € Fr7(t). 
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—1 —1 0 =i 0 0 0 0 0 0 


Figure4: F € Forests,,((—1)(—1)0(—1)000000) and a skeleton. 


Definition 4.6 (Observation). Let F € Forests, and t,t’ € Nodes”. We say 
that t € Nodes? observes t € Nodes” if either t is an ancestor of t, or t is 
the immediate right or left sibling of an ancestor of t. 


? e observes these nodes 


Nodes that observe e 


Figure5: Nodes that observe e and that e observes 


The intuition behind the notion of observation (which is not symmetrical) is 
depicted in fig. 5. Note that in a forest of bounded height, the number of nodes 
that some t observes is bounded. This will be a key argument in the following. 
We say that t and t are dependent if either t observes t or the converse. Given 
F, we can translate these notions to the positions of u: we say that i observes 
(resp. depends on) i’ if origin” (i) observes (resp. depends on) origin” (i). 


5 Height minimization of blind pebble transducers 


In this section, we show theorem 3.5 for blind pebble transducers. We say that 
a two-way transducer Y is a submachine of a blind pebble transducer Z if F 
labels a node in the tree description of Z. If B= F (Bı,..., Zn), we say that 
the submachine 7 is the head of Z. We let the transition morphism of Z 
be the cartesian product of all the transition morphisms of all the submachines 
of Z. Observe that it makes sense to consider the production of a submachine 
J in a context defined using the transition morphism of &. 
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5.1 Pumpability 


We first give a sufficient condition, named pumpability, for a blind k-pebble 
transducer to compute a function f such that |f(u)| 4 O(|u|*~1). The behavior 
of a pumpable blind 2-pebble transducer is depicted in fig. 6 over a well-chosen 
input: it has a factor in which the head .% calls a submachine .%, and a factor 
in which % produces a non-empty output. Furthermore both factors can be 
iterated without destroying the runs of these machines (due to idempotents). 


Definition 5.1. Let Z be a blind k-pebble transducer whose transition morph- 
ism is 4: A* + T. We say that the transducer Z is pumpable if there exists: 
— submachines Y,,...,% of B, such that YF, is the head of B; 
— mo,---,Mr, b1,---, bk; T1;---5 Tk E€ U(A*); 
— a,...,a% E A such that for alll < j <S k, ej = €;p(a;)r; is an idempotent; 
-a permutation o : [1:k] > [1:4]; 
such that if M? = Miei+iMi+ı ejm; for lO < i< j< k, and if we define 
the following context for all 1 < j <S k: 


o(j)—1 
j = METT eolo og) ] Po(5)€o (GME (4) 


then for all 1 S j <S k-1, [prod > (Cj )| F541 # 0, and prod z, (Ck) # € 


1i e1 imi: e2 l2 :M(G2) ire: e2 ima: 


Z head 


yamo ; pla ea imi: ez g [oo] | vai ez ima: 


Figure6: Pumpability in a blind 2-pebble transducer. 


Lemma 5.2 follows by choosing inverse images in A* for the m;, 4; and rj. 


Lemma 5.2. Let f be computed by a pumpable blind k-pebble transducer. There 
exists words U9,..-,UVk,U1,---, Uk such that |f (vouy --- ux v~)| = O(X*). 


Now, we use pumpability as a key ingredient for showing theorem 3.5, which 
directly follows by induction from the more precise theorem 5.3. 


Theorem 5.3 (Removing one layer). Let k > 2 and f : A* > B* be 
computed by a blind k-pebble transducer Z. The following are equivalent: 


1. |f(u)| = O (lut); 
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2. Bis not pumpable; 
3. f can be computed by a blind (k—1)-pebble transducer. 
Furthermore, this property is decidable and the construction is effective. 


Proof. Item 3 = item 1 is obvious. Item 1 => item 2 is lemma 5.2. Furthermore, 
pumpability can be tested by an enumeration of u(A*) and A. It remains to 
show item 2 > item 3 (in an effective fashion): this is the purpose of section 5.2. 


5.2 Algorithm for removing a recursion layer 


Let k > 2 and Y bea blind k-pebble transducer that is not pumpable, and that 
computes f : A* — B*. We build a blind (k—1)-pebble transducer Y for f. 
Let u : A* — T be the transition morphism of %. We shall consider that, on 


* 


input u € A*, the submachines of Y can in fact use forest, (u) C (A) as input. 
Indeed forest, is a rational function (by theorem 4.2), hence its information can 
be recovered by using a lookaround. Informally, the lookaround feature enables 
a two-way transducer to chose its transitions not only depending on its current 
state and current letter uļi] in position 1 < i < |u|, but also on a regular property 
of the prefix u[1:;—1] and the suffix u[i+1:|ul]. It is well-known that given a two- 
way transducer Y with lookarounds, one can build an equivalent .7’ that does 
not have this feature (see e.g. [15,12]). Furthermore, even if the accepting runs 
of 7 and 7’ may differ, they produce the same outputs from the same positions 
(this observation will be critical for last pebble transducers, in order to ensure 
that the marked positions of the recursive calls will be preserved). 

Now, we describe the two-way transducers that are the submachines of Y. 
First, it has submachines old-7 for J a submachine of Y, which are described 
in algorithm 1. Intuitively, old-7 is just a copy of 7. It is clear that if Z is a 
submachine of Y, then old-7(u) is the concatenation of the outputs produced 
by (the recursive calls of) Z along its accepting run on Fu. 


Algorithm 1: Submachines that behave as the original ones 


1 Submachine old-.7 (u) 

2 p ‘= accepting run of J over Fur; A := output function of 7; 

3 for (q,i) € p do 

4 if 7 is a leaf of Y then 

5 | Output A(q, (Fw)[i]); /* Z has output in B*; */ 
6 else 

7 for Z' € X(q, (Fu)[i]) do 

8 T' := head of &’; 

9 Call old-.7'(u); /* Z makes recursive calls; */ 
10 end 
11 end 
12 end 
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WY also has submachines accelerate--7 for Z a submachine of WY, which are 
described in algorithm 2. Intuitively, accelerate--7 simulates 7 while trying to 
inline recursive calls in its own run. More precisely, let u € A* be the input and 
F = forest (u). If Z calls Z’ in 1 <i < |u| that belongs to the frontier of 
the root node F of F, then accelerate-.7 inlines the behavior of the head of 4’. 
Otherwise it makes a recursive call, except if Z’ is a leaf of V. Hence if 7 is 
a submachine of Y which is not a leaf, accelerate-7(u) is the concatenation of 
the outputs produced by the calls of Y along its accepting run. 


Algorithm 2: Submachines that try to simulate their recursive calls 


1 Submachine accelerate-7 (u) 

2 /* J is not a leaf of % (i.e. it makes calls); */ 
3 p = accepting run of Z over Fud; F := forest, (u); A = output fun. of 7; 
4 for (q,i) € p do 

5 for Z' € X(q, (#uṣ7)[i]) do 
6 

7 

8 

9 


J' := head of Z’; 
if i € Fr” (F) then 
/* We can inline the call since |Fr’(F)| is bounded; */ 
Inline the code of old-.7’ (u) /* (see explanations);  */ 
10 else if Z’ is a leaf of Y then 
11 /* Then 4 = J' and we can inline the call because the 
output of 7’ on input u is bounded; */ 
12 Inline the code of old-.7’ (u) /* (see explanations); */ 
13 else 
14 /* It is not possible to inline the call to %’, so we 
make a recursive call; */ 
15 Call accelerate-7' (u); 
16 end 
17 end 
18 end 


Finally, the transducer Y is obtained by defining accelerate-.7 to be its 
head, where J is the head of WY. Furthermore, we remove the submachines 
old-.7 or accelerate--7 which are never called. Observe that Y indeed computes 
the function f. Furthermore, we observe that Y has recursion height (i.e. the 
number of nested Call instructions, plus 1 for the head) k—1, since each inlining 
of lines 9, 10 and 12 in algorithm 2 removes exactly one recursion layer of Y. 

It remains to justify that each accelerate-Y can be implemented by a two- 
way transducer (i.e. with lookarounds but a bounded memory). We represent 
variable i by the current position of the transducer. Since it has access to F, the 
lookaround can be used to check whether i € Fr” (F) or not (since the size of 
Fr? (F) is bounded). It remains to explain how the inlinings are performed: 

— if i € Fr? (F), the two-way transducer inlines old-7’ by executing the same 
moves and calls as .7’ does. Once its computation is ended, it has to go back 
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to position 7. This is indeed possible since belonging to Fr” (F) is a property 
that can be detected by using the lookaround, hence the machine only needs 
to remember that i was the ¢-th position of Fr? (F) (¢ being bounded); 

— else if A’ = J” is a blind 1-pebble transducer, we produce the output of 7’ 
without moving. This is possible since for all i’ ¢ Fr? (F), prod% (t) = € 
(hence the output of 7’ on u is bounded, and its value can be determined 
without moving, just by using the lookaround). Indeed, if prod, (i) 4 € 
for such an i’ ¢ Fr” (F) when reaching line 12 of algorithm 2, then the 
conditions of lemma 5.4 hold, which yields a contradiction. This lemma is 
the key argument of this proof, relying on the non-pumpability of X. 


Lemma 5.4 (Key lemma). Let u € A* and F € Forests,,(u). Assume that 
there exists a sequence %,...,% of submachines of Y and a sequence of posi- 
tions 1 <S i1,..., ik < |u| such that: 

— Jı is the head of Y; 

— for all 1 < j <k-1, |prod’z (ij)| 9,4, AO and prod’y, (ik) # €; 

— for alll <j < k, i; Z Fr? (F) (i.e. origin? (ij) € Iter? ). 

Then & is pumpable. 


Proof (idea). We first observe that pumpability follows as soon as the nodes 
origin’ (i;) are pairwise independent. We then show that this independence con- 
dition can always be obtained, up to duplicating some iterable subtrees of F 
(and some factors of u), because the behavior of a submachine in a blind pebble 
transducer does not depend on the positions of the above recursive calls. 


6 Height minimization of last pebble transducers 


In this section, we show theorem 3.5 for last pebble transducers. The notions of 
submachine, head and transition morphism for a last pebble transducer are 
defined as in section 5. The transition morphism is now defined over (A wW A)*. 


6.1 Pumpability 


The sketch of the proof is similar to section 5. We first give an equivalent of 
pumpability for last pebble transducers. The intuition behind this notion is de- 
picted in fig. 7. The formal definition is however more cumbersome, since we 
need to keep track of the fact that the calling position is marked. 


Definition 6.1. Let Z be a last k-pebble transducer whose transition morphism 
is 4:(AUA)* > T. We say that the transducer Z is pumpable if there exists: 
— submachines %,...,% of L, such that A, is the head of Z; 
= Nighy Mks Lasse ay les ios TK S (A*); 
— a,...,4% E A such that for alll < j <S k, ej = €;p(a;)r; is idempotent; 
a permutation o : [1:k] > [1:k]; 
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such that if we let Mi = Miliy Mi ejm; for all0 <i <j <k, and if we 
define the following context: 


o(1)-1 
C= Me) esalsa oa] o(1) Coy Mia) 
and for all 1 < j < k—1 the context: 


i o(j)—1 o(j+1)-1 
Cir = Mgr” eo jbo) Haon) oa og M305) 


esybe lacg+nlrog+neogr Mi g+ if o(j) < o(j + 1); 


a(j)-1 
Ci = Mg egy 41yCo(541) [ao +1)]Po-+1) eo G41) 


o(j)-1 k N 
M Ginecologa oaoa M3o) otherwise; 


then for all 1 <j < k-1, [prod > (Cj )| Zya # 0, and prod z, (Ck) # €. 


ZF, head 


Figure 7: Pumpability in a last 2-pebble transducer. 


We obtain lemma 6.2 by a proof which is similar to that of lemma 5.2. 


Lemma 6.2. Let f be computed by a pumpable last k-pebble transducer. There 
exists words U9,...,Uk,U1,---,Uk such that | f(voux --- ux vk)| = O(X*). 


Theorem 6.3 (Removing one layer). Let k > 2 and f : A* > B* be 
computed by a last k-pebble transducer Z. The following are equivalent: 

1. |f(u)| = Olu); 

2. L is not pumpable; 

3. f can be computed by a last (k—1)-pebble transducer. 

Furthermore, this property is decidable and the construction is effective. 


Proof. Item 3 = item 1 is obvious. Item 1 => item 2 is lemma 6.2. Furthermore, 
pumpability can be tested by an enumeration of u(A*) and A. It remains to 
show item 2 = item 3 (in an effective fashion): this is the purpose of section 6.2. 
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6.2 Algorithm for removing a recursion layer 


Let k > 2 and WY be a last k-pebble transducer that is not pumpable, and 
that computes f : A* — B*. We build a last (k—1)-pebble transducer YW for 
f. Let u : (AW A)* > T be the transition morphism of %. As before (using a 
lookaround), the submachines of Y have access to forest, (u) on input u € A*. 

Now, we describe the submachines of Y. It has submachines old-.7-along-p 
for Z a submachine of Y and p a run of 7, which are described in algorithm 1. 
Intuitively, these machines mimics the behavior of Z along the run p (which is 
not necessarily accepting) of Z over ud with v € (AW A)*. 

Since they are indexed by a run p, it may seem that we create an infinite 
number of submachines, but it will not be the case. Indeed, a run p will be 
represented by its first configuration (q1, i1) and last configuration (qn, in). This 
information is sufficient to simulate exactly the two-way moves of p, but there is 
still an unbounded information: the positions 7; and in. In fact, the input will be 
of the form v = uei and we shall guarantee that the 7; and in can be detected by 
the lookaround if 7 is marked. Hence the run p will be represented in a bounded 
way, independently from the input v, and so that its first and last configurations 
can be detected by the lookaround of the submachine. 

It follows from algorithm 3 that if 7 is a submachine of Y, then for all 
v E€ (AUA)* and p run of Z on kv, old--7-along-p (v) is the concatenation of 
the outputs produced by (the recursive calls of) Z along p. 

We also define a submachine normal-.7-along-p-pebble-i that is similar to 
old-.7-along-p, except that it ignores the mark of its input and acts as if it was 
in position 7 (as above for p, i will be encoded by a bounded information). 


Algorithm 3: Submachines that behave like the original ones 


1 Submachine old-.7-along-p(v) 

2 /* v€(AWA)*; p is a run of J over Hvd; */ 
3 à := output function of J; 

4 for (q,i) € p do 

5 if 7 isa leaf of Y then 

6 | Output A(q, (Fv4)[i]); /* Z has output in B*; */ 
7 else 

8 for Z’ € A(q, (Hvṣ)[i]) do 

9 T' = head of Z’; p' = accepting run of 7’ on Fr(v)eiH; 
10 Call old-.7'-along-p'(r(v)ei); /* Recursive call; */ 
11 end 
12 end 
13 end 
14 Submachine normal-.7-along-p-pebble-i(v) 
15 /* v€(AWA)*; p is a run of J over tr(v)ei4; */ 


16 Simulate old-.7-along-p (r(v)ei); 
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WY also has submachines accelerate-.7-along-p for Z a submachine of Y, 
which are described in algorithm 4. Intuitively, accelerate--7-along-p simulates 
Z along p while trying to inline some recursive calls. Whenever it is in position 7 
and needs to call recursively Y’ whose head is 7’, it first slices the accepting run 
p’ of 7’ on FueiH, with respect to forest,,(u) and i, as explained in definition 6.4 
and depicted in fig. 8. Intuitively, this operation splits p’ into a bounded number 
of runs whose positions either all observe i, or i observes all of them, or none of 
these cases occur (the positions are either 0, |u|+1 or independent of i). 


Definition 6.4 (Slicing). Letu € A*, F € Forests,,(u) and 1 < i < |u|. We 
let ti (resp. | i) be the set of positions that i observes (resp. that observe i). 
Let p = (q1,t1) > +++ — (qn, in) be a run of a two-way transducer 7 on Fuei. 
We build by induction a sequence ¢1,...,€n+41 with €, := 1 and: 
— if lj = n+1 then j = N and the process ends; 
— else if ig, ET i (resp. ip, E Ļ iN fi, resp. ig, € [0:|ul+1] x (TiU 4 2)), then 
Lj+ı is the largest index such that for all 0; < £ < €;41—-1, te E€ Îi (resp. 
ie EC Lint, resp. ie € [0:|ul+1] x (PiU i)). 
Finally the slicing of p ,with respect to F and 1, is the sequence of runs pi,..., PN 
where pj = (qe; ie) = (qe;+1, ie;+1) pes => (tsi 1; itzi) 


positions that positions that 
belong to {inti belong to ti 


EEE E E- 


: Pll P12! P13 ‘P14: P15 ‘P16:P17 


Figure 8: Slicing of a run p with respect to i and F. 


Now, let p},.-., py be slicing of the run p’ of J’ on the input uei. For all 
1 < j < N, there are mainly two cases. Either the positions of Pi all are in f 7 or 
| i. In this case, accelerate-.7-along-p directly inlines old-.7’-along-p/, within its 
own run (i.e. without making a recursive call). Otherwise, it makes a recursive 
call to accelerate-.7’-along-p/,, except if 2” is a leaf of Y (thus 7 = 7’). 

Finally, Y is described as follows: on input u € A*, its head is the submachine 
accelerate- 7-along-p (u), where 7 is the head of Y and p is the accepting run 
of F on Fu (represented by the bounded information that it is both initial 
and final). As before, we remove the submachines which are never called in Y. 
Observe that we have created a machine with recursion height k—1 (because 
line 17 in algorithm 4 prevents from calling a k-th layer). 

Let us justify that each accelerate- 7-along-p can indeed be implemented by 
a two-way transducer. First, let us observe that since F has bounded height, the 
number N of slices given in line 7 of algorithm 4 is bounded. Furthermore, we 
claim that the first and last positions of each pj belong to a given set of bounded 
size, which can be detected by a lookaround which has access to 7. For the pi; 
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Algorithm 4: Submachines that try to simulate their recursive calls 


1 
2 
3 
4 
5 
6 
7 
8 
9 


10 
11 
12 
13 
14 
15 


16 
17 
18 
19 
20 


21 
22 
23 
24 
25 


Submachine accelerate-.7-along-p (v) 

/* J is not a leaf of WY (i.e. it makes calls); */ 

/* v€(AWA)*; p is a run of J over wv; */ 

u := T(v); F = forest (u); A := output function of 7; 

for (q,i) € p do 

for Z’ € A(q, (Hvṣ)[i]) do 

T' := head of Z’; p' = accepting run of 7’ over Fuei4; 

Pi spy = Slicing of p’ with respect to F and i; 

for j = 1 to N do 

(qı, 71) EEA (qn, in) = LA 

if i1,..., in E fi then 

/* We inline the call because n is bounded; */ 

Inline the code of old--7’-along-p/ (uei); 

else if i1,...,in E | i then 

/* We can inline the call because the positions 
i1,... În are ‘below’ i in F; */ 

Inline the code of old--7'-along-p} (uei); 

else if Z’ is a leaf of Y then 


/* The output of Y’ = J' along p} is empty; */ 

else 
/* It is not possible to inline the call to Z’, so 

we make a recursive call; */ 

Call accelerate-.7’-along-p'; (uei); 

end 

end 
end 
end 


whose positions are in ¢ i, this is clear since |f i| is bounded (because the frontier 
of any node is bounded). For | ix fî i we use lemma 6.5, which implies that this 


set 


is a bounded union of intervals. The last case is very similar. 


Lemma 6.5. Let 1 <i < |u|, t := origin? (i) and tı (resp. t2) be its immediate 


left 


Thi 


(resp. right) sibling (they exist whenever t € Iter”, i.e. here tA F). Then: 
Li f i= [min(Fr’ (t1)) : max(Fr7 (t2))] \ {Fr7 (t1), Fr7 (t), Fr” (t2)}. 


s analysis justifies why each P; can be encoded in a bounded way. Now, we 


show how to implement the inlinings while using 7 as the current position: 


if i1,... in E Îi, then n is bounded (because |f i| is bounded). We can 
thus inline old-.7’-along-p/; (uei) while staying in position 7. However, when 
J’ calls some £” (of head 7”) on position ig, we would need to call 
old-.7"-along-p” (weie) (where p” is the accepting run of 7” along Fuei:4). 
But we cannot do this operation, since we are in position 7 and not in ig. 
The solution is that the inlined code calls normal--7”-along-p”-pebble-ip (uei) 
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instead, which simulates an accepting run p” of Z on ueig, even if its in- 

put is uei. Note that ig can be represented as a bounded information and 

recovered by a lookaround given wei as input, since į observes ig; 

— if i1,...,in E iN ti, then the nodes origin? (i,),..., origin? (in) are 
roughly below origin” (i) in F (see fig. 5). We inline old-.7’-along-p’, (uei), 
by moving along 71,...,%n as Pi does. We can keep track of the height of 
origin? (i) above the current origin? (i¢) (it is a bounded information). With 
the lookaround, we can detect the end of Pijs and go back to position i. 

It remains to justify that Y is correct. For this, we only need to show that 
when it reaches line 18 in algorithm 4, the output of 7” along p is indeed empty. 
Otherwise, the conditions of lemma 6.6 would hold (since we never execute two 
successive recursive calls in dependent positions). It provides a contradiction. 


Lemma 6.6 (Key lemma). Let u € A* and F € Forests (u). Assume that 
there exists a sequence %,..., Ty of submachines of Y and a sequence of posi- 
tions 1 <i1,...,%~ < |u| such that: 

— YF, is the head of Y; 

~ jprodt (i)a, # 0 and prodit*—*(i,) # e; 

— for all 2 < j < k—1, [prod i" (i) Z1 #0; 

— for all 1 < j < k-1, origin? (ij) and origin” (i;41) are independent; 
Then Y is pumpable. 


Proof (idea). As for lemma 5.4, the key observation is that pumpability follows 
as soon as the nodes origin? (i;) are pairwise independent. Furthermore, this 
condition can be obtained by duplicating some nodes in F. 


7 Making the two last pebbles visible 


We can define a similar model to that of last k-pebble transducer, which sees 
the two last calling positions instead of only the previous one. Let us name this 
model a last-last k-pebble transducer. A very natural question is to know 
whether we can show an analog of theorem 3.5 for these machines. 

Note that for k = 1,2 and 3, a last-last k-pebble transducer is exactly the 
same as a k-pebble transducer. Hence the function inner-squaring of page 2 is 
such that |inner-squaring(u)| = O(|u|?) and can be computed by a last-last 3- 
pebble transducer, but it cannot be computed by a last-last 2-pebble transducer. 
It follows that the connection between minimal recursion height and growth of 
the output fails. However, this result is somehow artificial. Indeed, a last-last 
2-pebble transducer is a degenerate case, since it can only see one last pebble. 
More interestingly, we show that the connection fails for arbitrary heights. 


Theorem 7.1. For all k > 2, there exists a function f : A* — B* such that 
|f(u)| = O(\u|?) and that can be computed by a last-last (2k+1)-pebble trans- 
ducer, but not by a last-last 2k-pebble transducer. 


Proof (idea). We re-use a counterexample introduced by Bojariczyk in [2] to 
show a similar failure result for the model of k-pebble transducers. 
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8 Outlook 


This paper somehow settles the discussion concerning the variants of pebble 
transducers for which the minimal recursion height only depends on the growth 
of the output. As soon as two marks are visible, the combinatorics of the output 
also has to be taken into account, hence minimizing the recursion height in this 
case (e.g. for last-last pebble transducers) seems hard with the current tools. 

As observed in [13], one can extend last pebble transducers by allowing the 
recursion height to be unbounded (in the spirit of marble transducers [9]). 
This model enables to produce outputs whose size grows exponentially in the 
size of the input. A natural question is to know whether a function computed by 
this model, but whose output size is polynomial, can in fact be computed with 
a recursion stack of bounded height (i.e. by a last k-pebble transducer). 


Acknowledgements. The author is grateful to Tito Nguyén for suggesting the 
study of the recursion height for last pebble transducers. 
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Abstract. Noetherian spaces are a generalisation of well-quasi-orderings 
to topologies, that can be used to prove termination of programs. They 
find applications in the verification of transition systems, some of which 
are better described using topology. The goal of this paper is to al- 
low the systematic description of computations using inductively defined 
datatypes via Noetherian spaces. This is achieved through a fixed point 
theorem based on a topological minimal bad sequence argument. 


Keywords: Noetherian spaces - topology - well-quasi-orderings - initial 
algebras - Kruskal’s Theorem - Higman’s Lemma. 


1 Introduction 


Let (€,<) be a set endowed with a quasi-order. A sequence (£n)n € EN is good 
whenever there exists i < j such that x; < xj. A quasi-ordered set (€,<) is a 
well-quasi-ordered — abbreviated as wqo — if every sequence is good. By calling 
a sequence bad whenever it is not good, well-quasi-orderings are equivalently 
defined as having no infinite bad sequences. This generalisation of well-founded 
total orderings can be used as a basis for proving program termination. For 
instance, algorithms alike Example 1.1 can be studied via well-quasi-orderings 
and the length of their bad sequences [5]. More generally, one can map the 
states of a run to a wqo via a so-called quasi-ranking function to both prove the 
termination of the program and gain information about its runtime [27, Chapter 
2]. Let us provide a concrete example of this proof scheme. 


Example 1.1. Let Alg be the algorithm with three integer variables a,b,c that 
non-deterministically performs one of the following operations until a, b or c 
becomes negative: (1) (a,b,c) < (a — 1,b, 2c) or (r) (a,b,c) © (2c,b — 1,1). 


Lemma 1.2. For every choice of a,b,c € N°, the algorithm Alg terminates. 


Proof. Let us prove that Alg builds a bad sequence of triples when ordering N? 
with (a1, b1,¢1) < (aa, be, c2) whenever a, < ag, by < be, and cı < c2. If (ai, bi, ci) 
and (a;,6;,c;) represent two configurations in a run of Alg, either only rule (1) 
was fired and a; < aj, or rule (r) was fired as least once, and b; < bj. 

Because (N3, <) is a well-quasi-ordering (see Dickson’s Lemma in [28]), Alg 


terminates for every choice of initial triple (a, b,c) € N°. 


© The Author(s) 2023 
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As a combinatorial tool, well-quasi-orderings appear frequently in varying 
fields of computer science, ranging from graph theory to number theory [18, 22, 
21, 3]. Well-quasi-orderings have also been highly successful in proving the termi- 
nation of verification algorithms. One critical application of well-quasi-orderings 
is to the verification of infinite state transition systems, via the study of so-called 
Well-Structured Transition Systems (WSTS) [1, 2, 16, 7]. 


Noetherian spaces. A major roadblock arises when using well-quasi-orders: 
the powerset of a well-quasi-order may fail to be one itself [26]. This is particu- 
larly problematic in the study of WSTS, where the powerset construction appears 
frequently [19, 29, 1]. To tackle this issue, one can justify that the quasi-orders 
of interest are not pathological, and are actually better quasi-orders [25, 23]. An- 
other approach is offered by the topological notion of Noetherian space, which 
as pointed out by Goubault-Larrecq, can act as a suitable generalisation of well- 
quasi-orderings that is preserved under the powerset construction [10]. 

The topological analogues to WSTS enjoy similar decidability properties, and 
there even exists an analogue to Karp and Miller’s forward analysis for Petri 
nets [11]. Moreover, their topological nature allows to verify systems beyond 
the reach of quasi-orderings, such as lossy concurrent polynomial programs [11]. 
This is possible because the polynomials are handled via results from algebraic 
geometry, through the notion of the Zariski topology over C” [12, Exercise 9.7.53]. 

One drawback of the topological approach is that many topologies correspond 
to a single quasi-ordering. Hence, when the problem is better described via an 
ordering, one has to choose a specific topology, and there usually does not exist 
a finest one that is Noetherian. 


Inductively defined datatypes. As for well-quasi-orders, Noetherian spaces 
are stable under finite products and finite sums [28, 12]. While this can be 
enough to describe the set of configurations of a Petri net using N*, it does not 
allow to talk about more complex data structures, that are typically defined 
inductively, such as lists and trees. To make the above statement precise, let 1 
be the singleton set, A+ B be the disjoint union of A and B, and A x B their 
cartesian product. Then, the set of finite words over an alphabet » is precisely 
the least fixed point of F: X œ> 1+ X x X. Similarly, the set of finite trees over 
X equals lfpy.X x X*, where Ifpx.F (X) denotes the least fixed point of F. 

In the realm of well-quasi-orderings, the specific cases of finite words and 
finite trees are handled respectively via Higman’s Lemma [18] and Kruskal’s Tree 
Theorem [22]. Let us recall that a word u embeds into a word w (written u <» v) 
whenever whenever there exists a strictly increasing map h: |w| > |w’| such 
that w; < wp for 1 < i < |w]. Similarly, a tree t embeds into a tree t’ (written 
t <tree t) whenever there exists a map from nodes of t to nodes of t’ respecting 
the least common ancestor relation, and increasing the colours of the nodes. 
Proofs that finite words and finite trees preserve well-quasi-orderings typically 
rely on a so-called minimal bad sequence argument due to Nash-Williams [24]. 
However, the argument is quite subtle, and needs to be handled with care [9, 30]. 
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In addition, the argument is not compositional and has to be slightly modified 
whenever a new inductive construction is desired [as in, e.g., 4, 3]. 

This picture has been adapted by Goubault-Larrecq to the topological setting 
by proposing analogues of the word embedding and tree embedding, together 
with a proof that they preserve Noetherian spaces [12, Section 9.7]. However, 
both the definitions and the proofs have an increased complexity, as they rely 
on an adapted “topological minimal bad sequence argument” that appears to be 
even more subtle [14, errata n. 26]. Moreover, the newly introduced topologies 
have involved definitions often relying on ad-hoc constructions. 


In the case of well-quasi-orderings, two generic fixed point constructions have 
been proposed to handle inductively defined datatypes [17, 8]. In these frame- 
works, Ifpy.F'(X) is guaranteed to be a well-quasi-ordering provided that F is a 
“well-behaved functor” of quasi-orders. Both proposals, while relying on different 
categorical notions, successfully recover Higman’s word embedding and Kruskal’s 
tree embedding through their respective definitions as least fixed points. As a side 
effect, they reinforce the idea that these two quasi-orders are somehow canonical. 

In the case of Noetherian spaces, no equivalent framework exists to build 
inductive datatypes, and the notions of “well-behaved” constructors from [17, 8] 
rule out the use of important Noetherian spaces, as they require that an element 
a € F(X) has been built using finitely many elements of X: while this is the 
case for finite words and finite trees, it does not hold for the arbitrary powerset. 
Moreover, there have been recent advances in placing Noetherian topologies over 
spaces that are not straightforwardly obtained through “well-behaved” defini- 
tions, such as infinite words [13], or even ordinal length words [15]. 


1.1 Contributions of this paper 


In this paper, we propose a least fixed point theorem for Noetherian topolo- 
gies. This is done in a way that greatly differs from the categorical frameworks 
introduced in the study of well-quasi-orders, as the construction of the space 
is entirely decoupled from the construction of the topology. In particular, the 
carrier set X itself need not be inductively defined. 

In this setting, we consider a fixed set X and a map R from topologies T over 
X to topologies R(T) over X. Because the set of topologies over X is a complete 
lattice, it suffices to ask for R to be monotone to guarantee that it has a least 
fixed point, that we write lfp,.R(7). In general, this least fixed point will not 
be Noetherian, but we show that a simple sufficient condition on R guarantees 
that it is. This main theorem (Theorem 3.21), encapsulates all the complexity of 
the topological adaptations of the minimal bad sequences arguments [12, Section 
9.7], and we believe that it has its own interest. 

The necessity to separate the construction of the set of points from the con- 
struction of the topology might be perceived as a weakness of the theory, when 
it is in fact a strength of our approach. We illustrate this by giving a shorter 
proof that the words of ordinal length are Noetherian [15], without providing an 
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inductive definition of the space. As an illustration of the versatility of our frame- 
work, we introduce a reasonable topology over ordinal branching trees (with 
finite depth), and prove that it is Noetherian using the same technique. 

In the specific cases where the space of interest can be obtained as a least 
fixed point of a “well-behaved” functor, we show how Theorem 3.21 can be 
used to generalise the categorical framework of Hasegawa [17] to a topological 
setting. As well as adding inductively defined topologies (hence, inductively de- 
fined datatypes) to the theory of Noetherian spaces, this provide a reasonable 
answer to the canonicity issue previously mentioned. 


Outline. In Section 2 we recall some of the main results in the theory of Noethe- 
rian spaces. In Section 3 we prove our main result (Theorem 3.21). In Section 4 
we explore how this result covers existing topological results in the literature, 
and provide a new non-trivial Noetherian space (Definition 4.7). In Section 5, 
we leverage our main result to devise a Noetherian topology over inductively 
defined datatypes (Theorem 5.13), and prove that this generalises the work of 
Hasegawa over well-quasi-orders (Theorem 5.15). 


2 A Quick Primer on Noetherian Topologies 


A topological space is a pair (¥,T) where rT C P(#), T is stable under finite 
intersections, and T is stable under arbitrary unions. A subset U C Æ is an 
open subset when U € 7, and a closed subset when ¥ \ U € T. As an order- 
theoretic counterpart to open and closed subsets, we say that a subest U of 
a quasi-ordered set (€,<) is wpwards-closed whenever for all x € U, a < y 
implies y € U. Similarly, a subset is downwards-closed whenever its complement 
is upwards-closed. One can convert back and forth between the two as follows: 


Notation 2.1. Let (E, <) be a quasi-order and (4,7) be a topological space. The 
Alexandroff topology alex(<) over E is the collection of upwards-closed subsets 
of E. The specialisation preorder <, is defined via x < , y whenever for every 
open subset U € 7, if x € U then y € U. 


It is an easy check that the specialisation pre-order of the Alexandroff topol- 
ogy of a quasi-order < is the quasi-order itself. Beware that several topologies 
can share the same specialisation pre-order <, and among those, the Alexandroff 
topology is the finest. 

We can now build the topological analogue to wqos through the notion of 
compactness: a subset K of ¥ is defined as compact whenever from every family 
(Ui )ier of open sets such that K C U;erUi, one can extract a finite subset 
J C I such that K C Uj.) Ui. A quasi-order (E, <) is wqo if and only if every 
subset K of E is compact for alex(<). Generalising this property to arbitrary 
topological spaces (4,7), a topological space (4,7) is said to be a Noetherian 


? 


space whenever every subset of V is compact. 
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Table 1. An algebra of Noetherian spaces [see 10, 12, 15]. 


Constructor Syntax Topology 


Well-quasi-orders E Alexandroff topology 
Complex vectors C* Zariski topology 


Disjoint sum X + X2 co-product topology 


Product X X X2 product topology 
Finite words X* — subword topology 
Finite trees T(#) tree topology 

Finite multisets Xe multiset topology 


Transfinite words 4<° transfinite subword topology 
Powerset P(X) Lower-Vietoris 


Remark 2.2. A space (4,7) is Noetherian if and only if for every increasing 
sequence of open subsets (U;)ien, there exists j € N such that Uen Ui = U;<; Ui. 


In order to inductively define Noetherian spaces, we will often rely on basic 
constructors such as the disjoint sum and the finite product. For completeness, 
we recall in Table 1 usual constructors that preserve Noetherian spaces. This 
table also illustrate the versatility of the concept, that encompasses both the 
algebraic properties of C* and the order properties of well-quasi-orders. 


3 Refinements of Noetherian topologies 


Let us fix a set X. The collection of topologies over ¥ is itself a set, and forms 
a complete lattice for inclusion. In this lattice, the least element is the trivial 
topology Ttriv := {0, X}, and the greatest element is the discrete topology P(%). 
Thanks to Tarski’s fixed point theorem, every monotone function R mapping 
topologies over ¥ to topologies over ¥ has a least fixed point, which can be 
obtained by transfinitely iterating R from the trivial topology. Writing Ifp,.R(7r) 
for the least fixed point of R, our goal is to provide sufficient conditions for 
(X, lfp-.R(7)) to be Noetherian. 


Definition 3.1. A refinement function over a set X is a function R mapping 
topologies over X to topologies over X. Moreover, we assume that R(T) is Noethe- 
rian whenever T is, and that R(T) C R(T’) when T C T. 


As (X, Tiriv) is always Noetherian, (®, R” (Tiriv)) is Noetherian for all n € N 
and refinement function R. However, it remains unclear whether the transfinite 
iterations needed to reach a fixed point preserve Noetherian spaces. 

We demonstrate in Example 3.2 how to obtain the topology alex(<) over 
N as a least fixed point of some simple refinement function. Before that, let us 
define the notion of upwards-closure: given a quasi-order (E, <) anda set E C E, 
let us define the upwards-closure of E, written T< E, as the set of elements that 
are greater or equal than some element of E in £. 
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Example 3.2 (Natural Numbers). Over X := N, one can define Div(r) as the 
collection of the sets f< (U +1) for U € 7, plus N itself. Then Div(tiriv) = 
{0,t< 1,N}, Div? (Teiv) = {0, t< 1,t< 2,N}. More generally, for every k > 0, 
Div” (Teiv) = {0, t< 1,.-.,t< kN}. It is an easy check that Ifp,.Div(r) is pre- 
cisely alex(<), which is Noetherian because (N, <) is a well-quasi-ordering. 


3.1 An ill-behaved refinement function 


Not all refinement functions behave as nicely as in Example 3.2, and one can 
obtain non-Noetherian topologies via their least fixed points. 

Let us consider for this section X := {a,b} with the discrete topology, i.e., 
{0, {a}, {b}, X}. Let us now build the set X* of finite words over X. Whenever 
U and V are subsets of X*, let us write UV for their concatenation, defined 
as {uv: u E€ U,v € V}. To construct an ill-behaved refinement function, we will 
associate to a topology T the set {UV: U € {0, {a}, {b}, Y}, V € T}. However, 
the latter fails to be a topology in general. This problem frequently appears in 
this paper, and is solved by considering the so-called generated topology. 

Let us briefly recall that for every set Æ and collection of subsets B C 
P(X), one can construct the topology generated from B as the least topology 
on æ containing B. This topology coincides with the one containing arbitrary 
unions of finite intersections of subsets in B. We say that B is a subbasis of T 
when 7 is the topology generated by B. Alexanders’s Subbase Lemma allows to 
study Noetherian spaces in this setting [12, Thm. 4.4.29]: it states that checking 
whether a subset K of ¥ is compact in 7 can be done by considering only open 
subsets in B, i.e., that for every family (U;)ie7 of a subbasis B of r such that 
K C Uje, Vi, one can extract a finite subset J C J such that K C Uses Uy: 
Definition 3.3. Let Rpref be the function mapping a topology T over X* to the 
topology generated by the sets UV where U C X and V ET, 


We refer to Figure 1 for a graphical presentation of the first two iterations 
of the refinement function Rpref. For the sake of completeness, let us compute 
Ifp,-Rpret(T), which is the Alexandroff topology of the prefix ordering on words. 


Definition 3.4. The prefix topology? Tprer*, over X* is generated by the follow- 
ing open sets: Ui ... Un X*, where n > 0 and U; C X. 


Lemma 3.5. The prefix topology over X* is the least fixed point of Rpref- 
Lemma 3.6. The function Rpref is a refinement function. 


Proof. It is an easy check that whenever T C 7’, Rpref(T) C Rpret(7’). Now, as- 
sume that 7 is Noetherian, it remains to prove that Rprep(7) remains Noetherian. 
Consider a subset Æ C X* and let us prove that E is compact in Rpref (T). 


3 This definition differs from what is called the “prefix topology” in the literature 
[see 6, 12, resp. Section 8 and Exercise 9.7.36]. 


Fig. 1. Iterating Rprer over X*. On the left the trivial topology Tiriv, followed by Rprer, 
and on the right River: 


For that, we consider an open cover E C (Jier Wi, where Wi € Rpret (7). 
Thanks to Alexander’s subbase lemma, we can assume without loss of generality 
that W; is a subbasic open set of Rpref (T), that is, W; = UiV; with U; C X and 
VET. 

Since (X*, T) x (X*,T) is Noetherian (see Table 1), there exists a finite set 
J C I such that U6, Ui x Vi = Ue, Ui X Vi. This implies that E C Ue, UiVi, 
and provides a finite subcover of FE. 


The sequence (o<i<k a’bS*, for k € N, is a strictly increasing sequence of 
opens. Therefore, the prefix topology is not Noetherian. The terms a'bX* can 
be observed in Figure 1 as a diagonal of incomparable open sets. 


Corollary 3.7. The topology lfp_.Rpret(T) is not Noetherian. 


The prefix topology is not Noetherian, even when starting from a finite al- 
phabet. However, we claimed in Section 1 that there is a natural generalisation 
of the subword embedding to topological spaces which is Noetherian. Before in- 
troducing this topology, let us write [U,,...,U»] as a shorthand notation for the 
set L ULA e L UnA 


Definition 3.8 (Subword topology [12, Definition 9.7.26]). Given a topo- 
logical space (X,T), the space X* of finite words over X can be endowed with the 
subword topology, generated by the open sets [U1,..., Un] when U; € T. 


The topological Higman lemma [12, Theorem 9.7.33] states that the subword 
topology over X* is Noetherian if and only if X is Noetherian. Although the 
subword topology might seem ad-hoc, it can be validated as a generalisation 
of the subword embedding because the subword topology of alex(<) equals the 
Alexandroff topology of the subword ordering of <, for every quasi-order < over 
X (12, Exercise 9.7.30]. Let us now reverse engineer a refinement function whose 
least fixed point is the subword topology. 

Definition 3.9. Let (37,0) be a topological space. Let E? „qs be defined as map- 
ping a topology T over X* to the topology generated by the following sets: f<, UV 
for U,V € T; andt<, W, for W € @. 
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D'aa" Na'ba" L*bL*aL* = L*bL*bL* 


NT 


Fig. 2. The topology E. onda” (Tew), with bold red arrows for the inclusions that were 


not present between the “analogous sets” in Roret  (Tiriv)- We have taken 0 to be the 
discrete topology over X. 


Lemma 3.10. Let (X,0) be a topological space. The subword topology over X* 
is the least fixed point of E? 


‘words* 


In order to show that Eis is a refinement function, we first claim that the 


two parts of the topology can be dealt with separately. 


Lemma 3.11 ([12, Proposition 9.7.18]). If (4,7) and (&,7') are Noethe- 
rian, then X endowed with the topology generated by TUT is Noetherian. 


0 Ft 


Lemma 3.12. Let (X,0) be a Noetherian topological space. The map EY..4. is 


a refinement function over X. 


Proof. We leave the monotonicity of Ef „qs as an exercice and focus on the proof 


that E°..a.(7) is Noetherian, whenever 7 is. Thanks to Lemma 3.11, it suffices 
to prove that the topology generated by the sets t<, UV (U,V open in 7), and 
the topology generated by the sets t<, W (W open in 0) are Noetherian. 

Let (f<, UiVi)ien be a sequence of open sets. Because Noetherian topologies 
are closed under products (see Table 1), there exists k such that U,-, Ui x Vi = 
Uien Ui x Vi. Hence, Ui<p T<, UiVi = Uien Ts. ViVi 

Let t<, W; be a sequence of open sets. Because 6 is Noetherian, there exists 
k such that U;<p Wi = Uien Wi, hence U;cp t<, Wi = Uien T<. Wi- 


We have designed two refinement functions Rpref and Ee ds over X*. Fixing 0 


to be the discrete topology over X, the least fixed point of Rpref is not Noetherian 
while the least fixed point of E oie is. We have depicted the result of iterating 
E. twice over the trivial topology in Figure 2. As opposed to Rpref, the 


“diagonal” elements are comparable for inclusion. 


3.2 Well-behaved refinement functions 


In this section, we will show how the behaviour of refinement function with 
respect to subsets will act as a sufficient condition to separate the well-behaved 
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ones from the others. In order to make the idea of computing the refinement 
function directly over a subset precise, we will replace a subset with the induced 
topology by a “restricted” topology over the whole space. 


Definition 3.13. Let (4,7) be a topological space and H be a closed subset of 
X. Define the subset restriction T|H to be the topology generated by the open 
subsets U N H where U ranges over T. 


Let ¥ be a topological space, and H be a proper closed subset of V. The 
space XY endowed with r|H has a lattice of open sets that is isomorphic to the 
one of the space H endowed with the topology induced by 7, except for the entire 
space ¥ itself. As witnessed by Example 3.14, the two spaces are in general not 
homeomorphic. 


Example 3.14. Let R be endowed with the usual metric topology. The set {a} 
is a closed set when a € R. The induced topology over {a} is {0, {a}}. The 
subset restriction of the topology to {a} is Ta := {0, {a}, R}. Clearly, (R, Ta) and 
({a}, Teriv) are not homeomorphic. 


In order to build intuition, let us consider the special case of an Alexandrofft 
topology over ¥ and compute the specialisation preorder of tT|H, where H is a 
downwards closed set. 


Lemma 3.15. Let T = alex(<) over a set X, and x,y E€ X. Then, £ < zH Y if 
and only ifa<,yAy€H orx g H. In other words, H° is collapsed to an 
equivalence class below H itself. 


Definition 3.16. A topology expander is a refinement function E that satisfies 
the following extra property: for every Noetherian topology T satisfying rT C E(r), 
for all closed set H in 7, E(r)|H C E(7|H)|H. 


Lemma 3.17. The refinement function Rpref is not a topology expander. 


Proof. Let us consider T := {0, aX*,bX*, X*}. Remark that H := aX* U {e} 
is a closed subset because X = {a,b}. It is an easy check that Rprer(7)|H = 
{0,aaZ*, abX* ,aX*, *} A {0,aaL*, aX*, 5*} = Rpret (T| )|HE. 


Lemma 3.18. When 0 is Noetherian, E? is a topology expander. 


words 


0 


words iS a refinement function. Let 


Proof. We have proven in Lemma 3.12 that E 
us now prove that it is a topology expander. 
Let T be a Noetherian topology over X*, such that r C E®..4.(r). Let H 
be a closed subset of (X*,r). Notice that as H is closed in 7, and since r C 
E? oras(T), H is downwards closed for <,.. As a consequence, (f<, UV) N H = 
(t<, (UN H)(V A H)) A H. Hence, Ef opas (T)|H C E? oras (T| E)E. 


words words 
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3.3 Iterating Expanders 


Our goal is now to prove that topology expanders are refinement functions that 
can be safely iterated. For that, let us first define precisely what “iterating 
transfinitely” a refinement function means. 


Definition 3.19. Let (4,7) be a topological space, and E be a topology expander. 
The limit topology E® (T) is defined as: T when a = 0, E(EÊ (T)) when a = B+1, 
and as the join of the topologies EP (T) for all 8 < a, when a is a limit ordinal. 


We devote the rest of this section to proving our main theorem, which im- 
mediately implies that least fixed points of topology expanders are Noetherian. 
Notice that the theorem is trivial whenever a is a successor ordinal. 


Proposition 3.20. Let a be an ordinal, T be a topology, and E be a topology 
expander. If EP (T) is Noetherian for all B < a, and T C E(r), then E%(r) is 
Noetherian. 


Theorem 3.21 (Main Result). Let X be a set and E be a topology expander. 
The least fixed point of E is a Noetherian topology over æ. 


The topological minimal bad sequence argument. In order to prove The- 
orem 3.21, we will use a topological minimal bad sequence argument. To that 
end, let us first introduce a well-founded partial ordering over the elements of 
E°(7). With an open set U € E®(r), we associate a depth depth(U), defined as 
the smallest ordinal 6 < a such that U € EP (r). We then define U < V to hold 
whenever depth(U) < depth(V), and U < V whenever depth(U) < depth(V). It 
is an easy check that this is a well-founded total quasi-order over E® (r). 

As a first step towards proving that E°(7) is Noetherian for a limit ordinal 
a, we first reduce the problem to open subsets of depth strictly less than a itself. 


Lemma 3.22. Leta be a limit ordinal, and E be a topology expander. The topol- 
ogy E*(r) has a subbasis of elements of depth strictly below a. 


Let us recall the notion of topological bad sequence designed by Goubault- 
Larrecq [12, Lemma 9.7.31] in the proof of the Topological Kruskal Theorem, 
adapted to our ordering of subbasic open sets. 


Definition 3.23. Let (4,7) be a topological space. A sequence U = (Ui) cn of 
open subsets is good if there exists i € N such that U; C U,-,;U;. A sequence 


j<i 
that is not good is called bad. 


Lemma 3.24. Leta be a limit ordinal, and E be a topology expander such that 
E° (T) is not Noetherian. Then, there exists a bad sequence U of open subsets 
in E*(r) of depth less than a that is lexicographically minimal for <. Such a 
sequence is called minimal bad. 
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We deduce that in a limit topology, minimal bad sequences are not allowed to 
use open subsets of arbitrary depth. This will then be leveraged via Lemma 3.27 
to decrease the depth by one. 


Lemma 3.25. Let a be a limit ordinal, r be a topology and E be a topology 
expander such that EP (T) is Noetherian for all 8 < a. Assume that U = (Ui)ien 
is a minimal bad sequence of E*(r). Then, for every i € N, depth(U;) is either 
0 or a successor ordinal. 


Definition 3.26. Let a be an ordinal, T be a topology, E be a topology expander 
such that r C E(r), and let U € E%(r). The topology Down(U) is generated by 
the open sets V such that V 4U, where V ranges over E® (T). 


Lemma 3.27. Let a be an ordinal, E be a topology expander and U € E° (r). If 
depth(U) is a successor ordinal, then U € E(Down(U)). 


If U is a minimal bad sequence in (X,E*(r)), then U; ZU, <; Uj := Vi, i.e., 
Uin VS 4 0. We can now use our subset restriction operator to devise a topology 
associated to this minimal bad sequence. Noticing that H; := V£ is a closed set 
in E*(7), hence we can build the subset restriction Down(U;)|H;. 


Definition 3.28. Let a be an ordinal, T be a topology, E be a topology expander 
such that T C E(r), and let U = (U;)ien be a minimal bad sequence in E° (r). 
Then, the minimal topology U(E*(r)) is generated by U,-~ Down(U;)|Hi, where 
H; := (U;j<i U;)°. 


Lemma 3.29. Let a be an ordinal, T be a topology, E be a topology expander 
such that r C E(r), and let U = (U;)ien be a minimal bad sequence in E*(r). 
Then, the minimal topology U(E°(r)) is Noetherian. 


iEN 


Proof. Assume by contradiction that /(E°(7)) is not Noetherian. Let us define 
V; as U,<; Uj, and H; as V£. 

Thanks to [12, Lemma 9.7.15] there exists a bad sequence W := (W;)ien of 
subbasic elements of /(E*(7)). By definition, W; is in some Down(U;)|H;. Let 
us select a mapping p: N — N, such that W; € Down(U,,;))| Hpi). This amounts 
to the existence of an open T,(;), such that Tp) < Upi), and Wi = Ty iy \ Voo- 
Without loss of generality we assume that p is monotonic. 

Let us build the sequence Y defined by Y; := U; if i < p(0) and Y; := Tp) 
otherwise. This is a sequence of open sets in E%(r) that is lexicographically 
smaller than U, hence Y is a good sequence: there exists i € N such that Y; C 


Us <i Yj. 
— Ifi < p(0), then U; C U;<; Uj contradicting that U is bad. 
— Ifi > p(0), let us write Yi = Tha) E Ujcpe) Ui UUs <i Tow) By taking the 
intersection with H,(;), we obtain W; C U,-; Wj, contradicting the fact that 
W is a bad sequence. 


j<i 


We are now ready to leverage our knowledge of minimal topologies associated 
with minimal bad sequences to carry on the proof of our main theorem. 
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Proposition 3.20. Let a be an ordinal, T be a topology, and E be a topology 
expander. If EP (T) is Noetherian for all B < a, and T C E(r), then E%(r) is 
Noetherian. 


Proof. If œ is a successor ordinal, then a = 8 + 1 and E®(r) = E(E®(7)). Be- 
cause E respects Noetherian topologies, we immediately conclude that E*(r) 
is Noetherian. We are therefore only interested in the case where a is a limit 
ordinal. 

Assume by contradiction that E°(r) is not Noetherian, using Lemma 3.24 
there exists a minimal bad sequence U := (U;)ien. Let us write d; := depth(U;) < 
a. Thanks to Lemma 3.25, d; is either 0 or a successor ordinal. 

Because E’ (r) is Noetherian for 3 < a, there are finitely many open subsets 
U; at depth 6 for every ordinal 8 < a. Indeed, if they were infinitely many, one 
would extract an infinite bad sequence of opens in Ef (r), which is absurd. 

Furthermore, the sequence (di)ien must be monotonic, otherwise U would 
not be lexicographically minimal. We can therefore construct a strictly increas- 
ing map p: N —> N such that 0 < depth(U,,;)) and depth(U;) < depth(U,,,)) 
whenever 0 < i < p(j). 

Let us consider some i = p(n) for some n € N. Let us write Vi := Uj 2, Uj 
and H; := X \ V;. The set V; is open in Down(U;) by construction of p, hence 
H; is closed | in Down(U;). As E is a topology expander, we derive the following 
inclusions: 

E(Down(U;))|H; C E(Down(U;)|H;)| Hi; 


Recall that U; € E(Down(U;)) thanks to Lemma 3.27. As a consequence, 
U; \ V; = W; \ V; for some open set W; in E(/(E°(r))). Thanks to Lemma 3.29, 
and preservation of Noetherian topologies through topology expanders, the latter 
is a Noetherian topology. Therefore, ot ) Jien is a good sequence. This provides 


an i € N such that Wp) E Us j<) Woy In particular, 


Usa \ Va = Wa \ poas U Woy \Vo © U Wo \ Voy 
p(i)<p(i) p(i)<p(i) 
c U egai\Ywe U Gane 
p(i)<p(i) j<p(i) 


This proves that Upi) € one i.e. that U p(t) C U, 
dicts the fact that U is bad. 


j< ) U5. Finally, this contra- 


We have effectively proven that being well-behaved with respect to closed 
subspaces is enough to consider least fixed points of refinement functions. This 
behaviour should become clearer in the upcoming sections, where we illustrate 
how this property can be ensured both in the case of Noetherian spaces and 
well-quasi-orderings. 
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4 Applications of Topology Expanders 


We now briefly explore topologies that can be proven to be Noetherian using 
Theorem 3.21. It should not be surprising that both the topological Higman 
lemma and the topological Kruskal theorem fit in the framework of topology 
expanders, as both were already proven using a minimal bad sequence argument. 
However, we will proceed to extend the use of topology expander to spaces for 
which the original proof did not use a minimal bad sequence argument, and 
illustrate how they can easily be used to define new Noetherian topologies. 


Finite words and finite trees. As a first example, we can easily recover the 
topological Higman lemma [12, Theorem 9.7.33] because the subword topology 
is the least fixed point of Es. which is a topology expander (see Lemmas 3.10 
and 3.18). 

It does not require much effort to generalise this proof scheme to the case of 
the topological Kruskal theorem [12, Theorem 9.7.46]. As a shorthand notation, 
let us write t € oU(V) whenever there exists a subtree t’ of t whose root is 
labelled by an element of U and whose list of children belongs to V. Recall that 
we write u <, v when u is a scattered subword of v, and t <tree t’ when t embeds 
in t’ as a tree (see page 2). As for the subword topology, the definition is ad-hoc 
but correctly generalises the tree embedding relation because the tree topology 
of alex(<) is the Alexandroff topology of <tree, for every ordering < over X [12, 
Exercise 9.7.48]. 


Definition 4.1 ({12, Definition 9.7.39]). Let (X,0) be a topological space. 
The space T(X) of finite trees over X can be endowed with the tree topology, 
the coarsest topology such that oU(V) is open whenever U is an open set of X, 
and V is an open set of T(X)* in its subword topology. 


Definition 4.2. Let (5,0) be a topological space. Let Etre” be the function that 
maps a topology T to the topology generated by the sets t<,.. U(V), for U open 
in 0, V open in T(X)* with the subword topology of T. 


Lemma 4.3. The tree topology is the least fixed point of Fives’, which is a topol- 
ogy expander. Hence, the tree topology is Noetherian when 0 is. 


Ordinal words. Let us now demonstrate how Theorem 3.21 can be applied 
over spaces which are proved to be Noetherian without using a minimal bad 
sequence argument. For that, let us consider X<% the set of words of ordinal 
length less than a, where a is a fixed ordinal. Since <, is in general not a wqo 
on X<% when < is wqo on Y, this also provides an example of a topological 
minimal bad sequence argument that has no counterpart in the realm of waqos. 


Definition 4.4 ({15]). Let (X,0) be a topological space. The ordinal subword 


topology over XS% is the topology generated by the closed sets a a RAB ee 
forn €N, F; closed in 0, Bi < a, and where F<° is the set of words of length 
less than B with all of their letters in F. 
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The ordinal subword topology is Noetherian [15], but the proof is quite tech- 

nical and relies on the in-depth study of the possible inclusions between the 
subbasic closed sets. Before defining a suitable topology expander, given an or- 
dinal 6 and a set U C Y’<%, let us write w € >U if and only if ws. € U for all 
0<y7< E. 
Definition 4.5. Let (X,0) be a topological space, and a be an ordinal. The 
function Eo soras Maps a topology T to the topology generated by the following 
sets: t<, UV for U,V opens in T; t<, BU, for U open int, B < a; T<, W, 
for W open in @. 


Lemma 4.6. Given a Noetherian space (17,0), and an ordinal a. The map 
E? cds is a topology expander, whose least fixed point contains the ordinal sub- 


word topology. Therefore, the ordinal subword topology is Noetherian. 


Remark that Definitions 4.2, 4.5 and 3.9 all follow the same blueprint: new 
open sets are built as upwards closure for the corresponding quasi-order of the 
natural constructors associated to the space. We argue that this blueprint miti- 
gates the canonicity issue and the complexity of Definitions 4.1, 4.4 and 3.8. 


Ordinal branching trees. As an example of a new Noetherian topology de- 
rived using Theorem 3.21, we will consider a-branching trees TS®(X), i.e., the 
least fixed point of the constructor X + 1+ 2'x X<° where a is a given ordinal. 
This example was not known to be Noetherian, and fails to be a well-quasi-order, 
and illustrates how Theorem 3.21 easily applies on inductively defined spaces. 


Definition 4.7. Let (27,0) be a Noetherian space. The ordinal tree topology 
over a-branching trees is the least fixed point of E? ises, mapping a topology 
T to the topology generated by the sets t<,,, U(V), where U € 0, V is open 
in (T<%(2))<@ with the ordinal subword topology, and U(V) is the set of trees 


whose root is labelled by an element of U and list of children belongs to V. 


Theorem 4.8. The a-branching trees endowed with the ordinal tree topology 
forms a Noetherian space. 


Proof. It suffices to prove that Ef joc, is a topology expander. It is clear that 
E? troos IS Monotone, and a closed set of E? tees(T) is always downwards closed 
for <tree- AS a consequence, if r C E? ireos(T) and H is closed in 7, t € V := 
(T<uee U(V)) NO H if and only if t € H and every children of t belongs to H. 
Therefore, (T<, U(V)) NA = (t<,4. U(V O H<%)) NH. Notice that H<°NV is 
an open of the ordinal subword topology over 7|H. As a consequence, V N H € 
E (rE) |H. 

Let us now check that E? toes preserves Noetherian topologies. Let W; := 
t<uee Uil Vi) be a N-indexed sequence of open sets in E? trees (T) where 7 is Noethe- 
rian. The product of the topology 0 and the ordinal subword topology over T is 
Noetherian thanks to Table 1 and Lemma 4.6. Hence, there exists a i € N such 
that U; x V; C Uj<i U; x Vj. As a consequence, W; C U,-; Wj. We have proven 


that Ef (T) is Noetherian. 


a-trees 


j<i 
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At this point, we have proven that the framework of topology expanders 
allows to build non-trivial Noetherian spaces. We argue that this bears several 
advantages over ad-hoc proofs: (i) the ad-hoc proofs are often tedious and error 
prone [12, 13, 15] (ii) the verification that E is a topology expander on the other 
hand is quite simple (iii) reduces the canonicity issue of topologies to the choice 
of a suitable topology expander. 


5 Consequences on inductive definitions 


So far, the process of constructing Noetherian spaces has been the following: 
first build a set of points, then compute a topology that is Noetherian as a 
least fixed point. In the case where the set of points itself is inductively defined 
(such as finite words or finite trees), the second step might seem redundant, and 
getting rid of it provides a satisfactory answer to the canonicity concerns about 
Noetherian topologies. 

Before studying inductive definition of topological spaces, the notion of least 
fixed-point in this setting has to be made precise. To that purpose, let us now in- 
troduce ome basic notions of category theory. In this paper only three categories 
will appear, the category Set of sets and functions, the category Top of topolog- 
ical spaces and continuous maps, and the category Ord of quasi-ordered spaces 
and monotone maps. Using this language, a unary constructor G in the algebra 
of wqos defines an endofunctor from objects of the category Ord to objects of 
the category Ord preserving well-quasi-orderings. 


Notation 5.1. Recall that in a category C, Hom(A, B) is used to denote the 
collection of morphisms from the object A to the object B in C. Moreover, Aut(A) 
denotes the set of automorphisms of A, i.e., invertible elements of (Hom(A, A), o). 


In our study of Noetherian spaces (resp. well-quasi-orderings), we will often 
see constructors G” as first building a new set of structures, and then adapting the 
topology (resp. ordering) to this new set. In categorical terms, we are interested 
in endofunctors G’ that are U-lifts of endofunctors on Set, where U is the forgetful 
functor from Top (resp. Ord) to Set. 


5.1 Divisibility Topologies of Analytic Functors 


The goal of this section is to introduce the categorical framework needed to 
formalise the automatic definition of a topology over an inductively defined 
datatype, and to compare this definition with the work that exists on well- 
quasi-orders by Hasegawa [17] and Freund [8]. We will avoid as much as possible 
the use of complex machinery related to analytic functors, and use as a defini- 
tion an equivalent characterisation given by Hasegawa [17, Theorem 1.6]. For 
an introduction to analytic functors and combinatorial species, we redirect the 
reader to Joyal [20]. 
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Notation 5.2. Given G an endofunctor of Set, the category of elements el(G) has 
as objects pairs (Ea) with a € G(E), and as morphisms between (E,a) and 
(E',a') maps f: E > F' such that Gy(a) =a’. 


As an intuition to the unfamiliar reader, an element (Fa) in el(G) is a 
witness that a can be produced through G by using elements of Æ. Morphisms 
of elements are witnessing how relations between elements of G(E) and G(E”) 
arise from relations between E and F’. As a way to define a “smallest” set of 
elements E such that a can be found in G(E), we rely on transitive objects. We 
recall that in a category C, if X,A are two objects, the action of Aut(X) on 
Hom(X, A) is transitive when for every pair f,g € Hom(X, A), there exists a 
h € Aut(X) such that foh=g. 


Notation 5.3. A transitive object in a category C is an object X satisfying the 
following two conditions for every object A of C: (a) the set Hom(X, A) in C 
is non-empty; (b) the right action of Aut(X) on Hom(X, A) by composition is 
transitive. 


Notation 5.4. Given an object A in a category C, one can build the slice category 
C/A whose objects are elements of Hom(B, A) when B ranges over objects of 
C and morphisms between cı € Hom(B,,A) and cp € Hom(B2, A) are maps 
f: Bı —> Bə such that C2 O F = C]. 


This notion of slice category can be combined with the one of transitive 
object to build so-called “weak normal forms”. 


Notation 5.5. A weak normal form of an object A in a category C is a transitive 
object in C/A. 


A category C has the weak normal form property whenever every object A 
has a weak normal form. We are now ready to formulate a definition of analytic 
functors through the existence of weak normal forms for objects in their category 
of elements. 


Notation 5.6. An endofunctor G of Set is an analytic functor whenever its cat- 
egory of elements el(G) has the weak normal form property. Moreover; X is a 
finite set for every weak normal form f € Hom((X, x), (Y, y)) in el(G)/(Y, y). 


Example 5.7. The functor mapping X to X* is analytic, and the weak normal 
form of a word (X*, w) is (letters(w), w) together with the canonical injection 
from letters(w) to X. In this specific case, the weak normal forms are in fact 
initial objects. 


Example 5.8. The functor mapping X to X<°% is not analytic when a > w, 
because of the restriction that weak normal forms are defined using finite sets. 


Let us now explain how these weak normal forms can be used to define a 
support associated to the analytic functor, which in turns allows us to build a 
notion of substructure ordering over initial algebras of analytic functors. 
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Definition 5.9. Let G be an analytic functor, (X,x) be an element in el(G) and 
f € Hom((Y, y), (X,x)) be a weak normal form in the slice category el(G)/(X, x). 
We define f(Y) as the support of x in X, written suppx (x). 


Definition 5.10. Let G be an analytic functor and (uG,ô) be an initial al- 
gebra of G. We say that a E€ uG is a child of b € uG whenever a = b or 
a € supp ,.¢(6~1(b)). The transitive closure of the children relation is called the 
substructure ordering of uG and written C. 


Example 5.11. The substructure ordering on uG for G(X) := 1+ X x X is the 
suffix ordering of words. 


We leverage the notion of substructure ordering to define a suitable topol- 
ogy expander over initial algebras of analytic functors. Note that this ordering 
appears implicitely in the construction of Hasegawa [17, Definition 2.7]. 


Definition 5.12. Let G’: Top > Top be a lifting of an analytic functor G, and 


(uG, ô) an initial algebra of G. We define ES that maps T to the topology gener- 
ated by tc 6(U) where U € G' (uG, T). 
We say that Wake is the divisibility topology over uG. 


Theorem 5.13. Let G’: Top > Top be a lifting of an analytic functor G, and 
(uG, 0) an initial algebra of G. Moreover, we suppose that G' preserves inclusions. 
The map ES is a topology expander, hence the divisibility topology is Noetherian. 


As a sanity check, we can apply Theorem 5.13 to the sets of finite words 
and finite trees, and recover the subword topology and the tree topology that 
were obtained in an ad-hoc fashion in Section 4. In addition to validating the 
usefulness of Theorem 5.13, we believe that these are strong indicators that 
the topologies introduced prior to this work were the right generalisations of 
Higman’s word embedding and Kruskal’s tree embedding in a topological setting, 
and addresses the canonicity issue of the aforementioned topologies. 


Lemma 5.14. The subword topology over X* , (resp. the tree topology over T(X)) 
is the divisibility topology associated to the inductive construction of finite words 
(resp. finite trees). 


5.2 Divisibility Preorders 


We are now going to prove that the divisibility topology correctly generalises 
the corresponding notions on quasi-orderings. In the case of finite words, this 
translates to the equation alex(<)* = alex(<*) [12, Exercise 9.7.30]. We relate 
the divisibility topology to the divisibility preorder introduced by Hasegawa [17, 
Definition 2.7]. 


Theorem 5.15. Let G’ the be the lift of an analytic functor respecting Alexan- 
droff topologies, Noetherian spaces, and embeddings. Then, the divisibility topol- 
ogy of uG is the Alexandroff topology of the divisibility preorder of uG, which is 
a well-quasi-ordering. 
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6 Outlook 


We have provided a systematic way to place a Noetherian topology over an in- 
ductively defined datatype, which is correct with respect to its wqo counterpart 
whenever it exists. As a byproduct, we obtained a uniform framework that sim- 
plifies existing proofs, and serves as an indicator that the pre-existing topologies 
were the “right generalisations” of their quasi-order counterparts. Let us now 
briefly highlight some interesting properties of the underlying theory. 


Differences with the existing categorical frameworks. The existing cate- 
gorical frameworks are built around a specific kind of functors [17, 8], while the 
notion of topology expander only requires talking about one specific set. This 
allows proving that the ordinal subword topology and the a-branching trees are 
Noetherian, while these escape both the realm of wqos, and of “well-behaved 
functors” having finite support functions. 


Quasi-analytic functors. In fact, the proof of Theorem 5.13, never relies on 
the finiteness of the support of an element. This means that the definition of 
analytic functors can be loosened to allow non finite weak normal forms. We do 
not know whether this notion of “quasi-analytic functor” already exists in the 
literature. 


Transfinite iterations. As the reader might have noticed, all of the least fixed 
points considered in this paper are obtained using at most w steps. This is 
because the topology expanders that are presented in the paper are all Scott- 
continuous, i.e., they satisfy the equation E(sup,7;) = sup; E(7;). While The- 
orem 3.21 does apply to non Scott-continuous topology expanders, we do not 
know any reasonable example of such expander. 


Lack of ordinal invariants. Even though our proof that the ordinal subword 
topology is Noetherian is shorter than the original one, it actually provides 
less information. In particular, it does not provide a bound for ordinal rank of 
the lattice of closed sets (called the stature of X<®), whereas a clear bound is 
provided by the previous approach Goubault-Larrecq et al. [15, Proposition 33]. 
This limitation already appears in the existing categorical frameworks [17, 8], and 
we believe that this is inherent to the use of minimal bad sequence arguments. 


Acknowledgements. I thank the anonymous reviewers for their helpful sug- 
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Abstract. An efficient entailment proof system is essential to compositional ver- 
ification using separation logic. Unfortunately, existing decision procedures are 
either inexpressive or inefficient. For example, Smallfoot is an efficient procedure 
but only works with hardwired lists and trees. Other procedures that can support 
general inductive predicates run exponentially in time as their proof search re- 
quires back-tracking to deal with a disjunction in the consequent. 

This paper presents a decision procedure to derive cyclic entailment proofs for 
general inductive predicates in polynomial time. Our procedure is efficient and 
does not require back-tracking; it uses normalisation rules that help avoid the in- 
troduction of disjunction in the consequent. Moreover, our decidable fragment 
is sufficiently expressive: It is based on compositional predicates and can cap- 
ture a wide range of data structures, including sorted and nested list segments, 
skip lists with fast-forward pointers, and binary search trees. We implemented 
the proposal in a prototype tool, called S2Szin, and evaluated it over challenging 
problems from a recent separation logic competition. The experimental results 
confirm the efficiency of the proposed system. 


Keywords: Cyclic Proofs, Entailment Procedure, Separation Logic. 


1 Introduction 


Separation logic [20,37] has successfully reasoned about programs manipulating pointer 
structures. It empowers reusability and scalability through compositional reasoning 
[6,7]. A compositional verification system relies on bi-abduction technology which is, 
in turn, based on entailment proof systems. Entailment is defined: Given an antecedent 
A and a consequent C where A and C are formulas in separation logic, the entailment 
problem checks whether A — C is valid. Thus, an efficient decision procedure for en- 
tailments is the vital ingredient of an automatic verification system in separation logic. 

To enhance the expressiveness of the assertion language, for example, to specify un- 
bounded heaps and interesting pure properties (e.g., sortedness, parent pointers), sep- 
aration logic is typically combined with user-defined inductive predicates [9,31,35]. 
In this setting, one key challenge of an entailment procedure is the ability to support 
induction reasoning over the combination of heaps and data content. The problem of 
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induction is challenging, especially for an automated inductive theorem prover, where 
the induction rules are not explicitly stated. Indeed, this problem is undecidable [1]. 


Developing a sound and complete entailment procedure that could be used for 
compositional reasoning is not trivial. It is unknown how model-based systems, e.g. 
[14,15,17,18,22,23], could support compositional reasoning. In contrast, there was evi- 
dence that proof-based decision procedures, e.g., Smallfoot [2] and the variant [12], and 
Cycomp [42], can be extended to solve the bi-abduction problem, which enables com- 
positional reasoning and scalability [7,25]. Smallfoot was the centre of the biabductive 
procedure deployed in Infer [7], which which greatly impacted academia and industry 
[13]. Furthermore, Smallfoot is very efficient due to its use of the “exclude-the-middle” 
rule, which can avoid the proof search over the disjunction in the consequent. How- 
ever, Smallfoot works for hardwired lists and binary trees only. In contrast, Cycomp, a 
recent complete entailment procedure, is a cyclic proof system without “exclude-the- 
middle“ and can support general inductive predicates but has double exponential time 
complexity due to the proof search (and back-tracking) in the consequent. 


This paper introduces a cyclic proof system with an “exclude-the-middle”-styled de- 
cision procedure for decidable yet expressive inductive predicates. We especially show 
that our procedure runs in polynomial time when the maximum number of fields of data 
structures is bounded by a constant. The decidable fragment, SHLIDe, contains induc- 
tive definitions of compositional predicates and pure properties. These predicates can 
capture nested list segments, skip lists and trees. The pure properties of small models 
can model a wide range of common data structures, e.g. a list with fast-forward point- 
ers, sorted nested lists, and binary search trees [22,32]. This fragment is much more 
expressive than Smallfoot’s and is incomparable to Cycomp’s [42]: there exist some 
entailments our system can handle, but Cyccomp could not, and vice versa. 


Our procedure is a variant of the cyclic proof system introduced by Brotherston 
[3,5] and has become one of the leading solutions to induction reasoning in separation 
logic. Intuitively, a cyclic proof is naturally represented as a tree of statements (entail- 
ments in this paper). The leaves are either axioms or nodes linked back to inner nodes; 
the tree’s root is the theorem to be proven, and nodes are connected to one or more 
children by proof rules. Alternatively, a cyclic proof can be viewed as a tree possibly 
containing some back-links (a.k.a. cycles, e.g., “C, if B, if C”) such that the proof sat- 
isfies some global soundness condition. This condition ensures that the proof can be 
viewed as a proof of infinite descent. For instance, for a cyclic entailment proof with 
inductive definitions, if every cycle contains an unfolding of some inductive predicate, 
then that predicate is infinitely often reduced into a strictly “smaller” predicate. This 
infinity is impossible as the semantics of inductive definitions only allows finite steps 
of unfolding. Hence, that proof path with the cycle can be disregarded. 


The proposed system advances Brotherston’s system in three ways. First, the pro- 
posed proof search algorithm is specialized to SHLIDe, which includes “exclude-the- 
middle“ rules and excludes any back-tracking. The existing proof procedures typically 
search for proof (and back-track) over disjunctive cases generated from unfolding in- 
ductive predicates in the RHS of an entailment. To avoid such costly searches, we pro- 
pose “exclude-the-middle“-styled normalised rules in which the unfolding of inductive 
predicates in the RHS always produces one disjunct. Therefore, our system is much 
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more efficient than existing systems. Second, while a standard Brotherston system is 
incomplete, our proof search is complete in SHL1De: If it is stuck (i.e., it can not apply 
any inference rules), then the root entailment is invalid. 

Lastly, while the global soundness in [5] must be checked globally and explicitly, 
every back-link generated in SHLIDe is sound by design. We note that Cycomp, intro- 
duced in [42], was the first work to show the completeness of a cyclic proof system. 
However, in contrast to ours, it did not discuss the global soundness condition, which is 
the crucial idea attributing to the soundness of cyclic proofs. 


Contributions Our primary contributions are summarized as follows. 


— We present a novel decision procedure, $2S;in, for the entailment problem in sepa- 
ration logic with inductive definitions of compositional predicates. 

— We provide a complexity analysis of the procedure. 

— We have implemented the proposal in a prototype tool and tested it with the SL- 
COMP benchmarks [38,39]. The experimental results show that S2S,in is effective 
and efficient compared to state-of-the-art solvers. 


Organization The remainder of the paper is organised as follows. Sect. 2 describes 
the syntax of formulas in fragment SHLIDe. Sect. 3 presents the basics of an “exclude- 
the-middle” proof system and cyclic proofs. Sect. 4 elaborates on the result, the novel 
cyclic proof system, including an illustrative example. Sect. 5 discusses soundness and 
completeness. Sect. 6 presents the implementation and evaluation. Sect. 7 discusses 
related work. Finally, Sect. 8 concludes the work. 


2 Decidable Fragment SHLIDe 


Subsection 2.1 presents syntax of separation logic formulae and recursive definitions of 
linear predicates and local properties. Subsection 2.2 shows semantics. 


2.1 Separation Logic Formulas 


Concrete heap models assume a fixed finite collection of data structures Node, a fixed 
finite collection of field names Fields, a set Loc of locations (heap addresses), a set 
of non-addressable values Val, with the requirement that ValNLoc=0 (i.e., no pointer 
arithmetic). null is a special element of Val. Z denotes the set of integers (ZC Val) and 
k denotes integer numbers. Var an infinite set of variables, u a sequence of variables. 


Syntax Disjunctive formula ®, symbolic heaps A, spatial formula «, pure formula 7, 
pointer (dis)equality @, and (in)equality formula a are as follows. 


@:=A|OVE A = KAT |w. KAT T= true |a|am|aAr 
kK ::= emp | ac(f:v,.., f:v) | P(G) | KxK a ::= a=a | a<a =k |v 


where vE Var, cENode and f € Fields. Note that we often discard field names f of points- 
to predicates x—>c(f:v, .., f:v) and use the short form as x—c(v). v1 #v2 is the short 
form of =(v1=v2). E denotes for either a variable or nu11. A[E’/v] denotes the formula 
obtained from A by substituting v by E. A symbolic heap is referred as a base, denoted 
as A’, if it does not contain any occurrence of inductive predicates. 
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Inductive Definitions We write P to denote a set of n defined predicates P={P4, ..., Pu} 
in our system. Each inductive predicate has following types of parameters: a pair of root 
and segment defining segment-based linked points-to heaps, reference parameters (e.g., 
parent pointers, fast-forwarding pointers), transitivity parameters (e.g., singly-linked 
lists where every heap cell contains the same value a) and pairs of ordering parameters 
(e.g., trees being binary search trees). An inductive predicate is defined as 


pred P(r,F',B,u,sc,tg) = empAr=F Asc=tg 


V IXau, Z, scl.r-oe(X4,p,u,8c’) * K * P(Xy,F,B,u,sc,tg) Ar#F A sco sc! 


where r is the root, F the segment, B the borders, u the parameter for a transitivity 
property, sc and tg source and target, respectively, parameters of an order property, 
r+c(Xy,p,u,sc’) x K’ the matrix of the heaps, and © € {=, >, <}. (The extension for 
multiple local properties is straightforward.) Moreover, this definition is constrained by 
the following three conditions on heap connectivity, establishment, and termination. 

Condition C1. In the recursive rule, p = {nul1}UZ. This condition implies that If 
two variables points to the same heap, their content must be the same. For instance, the 
following definition of singly-linked lists of even length does not satisfy this condition. 


pred ell(r,F) = emp^r=F V 3x1, X.r>cı(z1)*xrı >c (X)*ell(X,F)ArAF 


as n3 and X are not field variables of the node pointed-to by r. 
Condition C2. The matrix heap defines nested and connected list segments as: 


K':=Q(Z,U) | k'k" | emp 


where Zep and (U \ p) N Z = 0. This condition ensures connectivity (i.e. all allocated 

heaps are connected to the root) and establishment (i.e. every existential quantifier either 

is allocated or equals to a parameter). 

Condition C3. There is no mutual recursion. We define an order <p on inductive pred- 

icates as: P <p Q if at least one occurrence of predicate Q appears in the definition of P 

and Q is called a direct sub-term of P. We use <7 to denote the transitive closure of <p. 
Several definition examples are shown as follows. 


pred 11(r,F) = empAr=F V AXy.-reci(Xy)*11 (Xu, P)ArzAF 
pred nll(r,F,B) = empAr=F 

V IXu, Z.r>cz3(Xu,Z)*11(Z, B)anll(Xy,F,B)ArzAF 
pred skl1(r,F) = emp^r=F V 3Xu.r>c,(Xa,null,null)*skl1(Xy, FP)ArÆF 
pred sk12(r,F) = empAr=F 

V IXu, Zirc (Z1, Xu,null)*skli(Z1,Xu)*skl2(Xu, P)ArAF 
pred sk13(r,F) = empAr=F 

V 5Xy,21,Z2.1-9¢4(Z1,2Z2,X41)*8k11(Z1 ,Z2)*sk12(Zo,Xy)*sk13(Xy,F)Ar AF 
pred tree(r,B) = empAr=B 

V Jri, ry. roc (rr, )xtree(1,,B)*«tree(r,,B) Ar AB 


11 defines singly-linked lists, n11 defines lists of acyclic lists, slk1, s1k2 and s1k3 
define skip-lists. Finally, tree defines binary trees. We extend predicate 11 with transi- 
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tivity and order parameters to obtain predicate 11a and 11s, respectively, as follows. 


pred lla(r,F',a) = empAr=F V 3Xu.r>co(Xu,a) * 1la(Xu,F,a)Ar#F 
pred 11s(r,F',mi,ma) = empAr=FAma=mi 
V IXa, miz.r>ca(Xa,mii) * 118(Xy,F ymiz,ma)Ar¢F A mi<miy 


Unfolding Given pred P(t) = @ and a formula P(v)*A, then unfolding P(v) means 
replacing P(v) by ®[u/t]. We annotate a number, called unfolding number, for each oc- 
currence of inductive predicates. Suppose 3W.r+>c(p) * Q1 (01) *...*Qm (Gm) * P(t )At 
be the recursive rule, then in the unfolded formula, if P(%[v/t])*! and Q;(...)*2 are di- 
rect sub-terms of P(w)* like above, then kı=k+1 and kə = 0. When it is unambiguous, 
we discard the annotation of the unfolding number for simplicity. 


2.2 Semantics 
The program state is interpreted by a pair (s,h) where s€ Stacks, heHeaps and stack 
Stacks and heap Heaps are defined as: 


Heaps g Loc— fin (Node — (Fields + Val U Loc)™) 
Stacks © Var + Val U Loc 
Note that we assume that every data structure contains at most m fields. Given a formula 


®, its semantics is given by a relation: s,h = ® in which the stack s and the heap h 
satisfy the constraint ®. The semantics is shown below 


s, h |= emp iff dom(h)=0 

s, h = v>c( fi : vi) iff dom(h)={s(v)}, h(s(v))=9, g(c, fi)=s(ui) 

s, h = P(®) iff (h, s(U1),.., s(Uk)) € [P] 

S, h= K1 * K2 iff Jhi, ho St hitho, h=h-ha, +5; hy [= Kı and 5, hy = K2 
s, h |= true iff always 

s, h = KAT iff s,h = « and s = 7m 

s,h = w.A iff Ja.s[v>a], h EA 

s, h = Bı V bg iff s, h = ® or s, h = Bo 


dom(g) is the domain of g, hı#hə denotes disjoint heaps hı and hg i.e., dom(h1)N 
dom(hz)=0, and h;-hz denotes the union of two disjoint heaps. If s is a stack, v€ Var, 
and aEValULoc, we write s[u-+a] = s if vedom(s), otherwise s[vu=>a] = sU{(v, a)}. 
Semantics of non-heap (pure) formulas is omitted for simplicity. The interpretation of 
an inductive predicate P(t) is based on the least fixed point semantics |P]. 

Entailment A — A’ holds iff for all s and h, if s, h = Athen s, h = A’. 


3 Entailment Problem & Overview 


Throughout this work, we consider the following problem. 


PROBLEM: QF_ENT—SLyurw. 
INPUT: Aa = Kata and Ac = Kee where FV(A.) C FV(Aa) U {null}. 
QUESTION: Does Aa = Ae hold? 


482 Q. L. Le et al. 


An entailment, denoted as e, is syntactically formalized as: A, F A, where A, and 
A, are quantifier-free formulas whose syntax are defined in the preceding section. 

In Sect. 3.1, we present the basis of an exclude-the-middle proof system and our 
approach to QF_ENT—SLyyy. In Sect. 3.2, we describe the foundation of cyclic proofs. 


3.1 Exclude-the-Middle Proof System 


Given a goal A, F Ae, an entailment proof system might derive entailments with a 
disjunction in the right-hand side (RHS). Such an entailment can be obtained by a proof 
rule that replaces an inductive predicate by its definition rules. Authors of Smallfoot 
[2] introduced a normal form and proof rules to prevent such entailments when the 
predicate are lists or trees. Smallfoot considers the following two scenarios. 


— Case 1 (Exclude-the-middle and Frame): The inductive predicate matches with a 
points-to predicate in the left-hand side (LHS). For instance, let us consider an 
entailment which is of the form e : a++c(z) x A F 11(2,y) x» A’, where 11 is 
singly-linked lists and 11(a, y) matches with x++c(z) as they have the same root 
x. A typical proof system might search for proof through two definition rules of 
predicate 11 (i.e., by unfolding 11(x, y) into two disjuncts): One includes the base 
case with x = y, and another contains the recursive case with x # y. Smallfoot 
prevents such unfolding by excluding the middle in the LHS: It reduces the entail- 
ment into two premises: z+>c(z)* AAxw = y H 1l(a,y)*A’ and x>c(z)x AAT F 
yt 11(2, y) * A’. The first one considers the base case of the list (that is, 11 (x, x)) 
and is equivalent to a++c(z) x AA a = y F A’. Furthermore, the second premise 
checks the inductive case of the list and is equivalent to AA x #4 y F 1l(a,z)* A’. 

— Case 2 (Induction proving via hard-wired Lemma). The inductive predicate matches 
other inductive predicates in the LHS. For example, consider the entailment e2 : 
11(a,z) * AF 11(a,nu11) « A’. Smallfoot handle ez by using a proof rule as the 
consequence of applying the following hard-wired lemma 11 (x, z)*11(z,nu11) = 
11(a,nul11) and reduces the entailment to A F 11(z,nu11) « A’. 


In doing so, Smallfoot does not introduce a disjunction in the RHS. However, as it uses 
specific lemmas in the induction reasoning, it only works for the hardwired lists. 

This paper proposes S2S;in as an exclude-the-middle system for user-defined pred- 
icates, those in SHLIDe. Instead of using hardwired lemmas, we apply cyclic proofs 
for induction reasoning. For instance, to discharge the entailment ez above, S2S;in first 
unfolds 11 (x, z) in the LHS and obtains two premises: 


— e2; : (emp A £ = z) x AF 11 (zx, null) « A’; and 
— e22 : (wHoc(y) x 11(y, z) A x Æ z) * AF 11 (z, null) * A’ 


While it reduces e21 to Af[z/x]  11(z,nu11) « A’[z/z], for e22, it further applies the 
frame rule as in Case 1 above and obtains 11(y, z) * A A aw Æ z H 11(y, null) « A’. 
Then, it makes a backlink between the latter and e2 and closes this path. Doing so does 
not introduce disjunctions in the RHS and can handle user-defined predicates. 
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3.2 Cyclic Proofs 
Central to our work is a procedure that constructs a cyclic proof for an entailment. Given 
an entailment At A’, if our system can derive a cyclic proof, then A — A’. If instead, 


it is stuck without proof, then A = A’ is not valid. 
The procedure includes proof rules, each of which is of the form: 


ey i. @ 
PRo aii iL cond 
e 
where entailment e (called the conclusion) is reduced to entailments e1, ..,e,, (called 
the premises) through inference rule PR» given that the side condition cond holds. 


A cyclic proof is a proof tree 7; which is a tuple (V, £,C) where 


— V is a finite set of nodes representing entailments derived during the proof search; 
— A directed edge (e, PR, e’) € E (where e’ is a child of e) means that the premise 
e’ is derived from the conclusion e via inference rule PR. For instance, suppose 
that the rule PR, above has been applied, then the following n edges are generated: 
(e, PRo, e1), «-, (e, PRo, en); 
— and C isa partial relation which captures back-links in the proof tree. If C(e.—+ey, 7) 
holds, then e+ is linked back to its ancestor e, through the substitution ø (where 
e is referred to as a bud and ee is referred to as a companion). In particular, ee 
is of the form: AF A’ and e; is of the form: A;Aa F A‘ where A = Ajo and 
A = Avo. 
A leaf node is marked as closed if it is evaluated as valid (i.e. the node is applied with an 
axiom), invalid (i.e. no rule can apply), or linked back. Otherwise, it is marked as open. 
A proof tree is invalid if it contains at least one invalid leaf node. It is pre-proof if all its 
leaf nodes are either valid or linked back. Furthermore, a pre-proof is a cyclic proof if a 
global soundness condition is established in the tree. Intuitively, this condition requires 
that for every C(e,— ey, o), there exist inductive predicates P(t) in ec and Q(t2) in ep 
such that Q(t2) is a subterm of P(t). 


Definition 1 (Trace) Let 7; be a pre-proof of Aa + Ac and (Aa; F Ac )iso be a path 
of Ti. A trace following (Aa; Ae, )i>o is a sequence (a;);>0 such that each a; (for all 
i>0) is a subformula of Aa, containing predicate P(E)“, and either: 
— Qi+ı Is the subformula occurrence in Aei corresponding to a; in Aq,. 
— or Aq, + Ac, is the conclusion of a left-unfolding rule, a; = P(t)" is unfolded, and 
aj+1 is a subformula in Aq,,, and is the definition rule of P(Z)"|t/Z]. In this case, 
i is said to be a progressing point of the trace. 


Definition 2 (Cyclic proof) A pre-proof Ti of Aa F Ac is a cyclic proof if, for every 
infinite path (Aa; Ac, )i>o Of Ti, there is a tail of the path p=(Aq, F Ae, )i>n such 
that there is a trace following p which has infinitely progressing points. 

Suppose that all proof rules are (locally) sound (i.e., if the premises are valid, then 
the conclusion is valid). The following Theorem shows global soundness. 
Theorem 1 (Soundness [5]). Zf there is a cyclic proof of Ag F Ae, then Ag = Ac. 
The proof is by contraction (c.f. [5]). Intuitively, if we can derive a cyclic proof for 


Aa F Aec and A, A 4e, then the inductive predicates at the progress points are un- 
folded infinitely often. This infinity contradicts the least semantics of the predicates. 
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4 Cyclic Entailment Procedure 


This section presents our main proposal, the entailment procedure w-ENT with the pro- 
posed inference rules (subsection 4.1), and an illustrative example (subsection 4.2). 


4.1 Proof Search 


The proof search algorithm w- 

ENT is presented in Fig. 1. w- Ww —ENT 

ENT takes eọ as input, pro- input: eg output: valid or invalid 

duces cyclic proofs, and based 1; i40; J; ep; 

on that, decides whether the in- 2: while true do 

put is valid or invalid. The 3: (res,e;, PR;)~-is_closed(7;); 

idea of w-ENT is to iteratively 4: if res=valid then return valid; 

reduce Jọ into a sequence of 5: if res=invalid then return invalid; 

cyclic proof trees 7;,i > 0. Ini- 6: if link_back.(7i,e;) = false then 

tially, for every P(w)* € eo, k 7: Tis1<apply(Ti, ei, PRi); 
8 
9: 


is reset to 0, and Jọ only has icit+l; 
eo as an open leaf, the root. end 

On line 3, through the procedure 
is_closed(7;), w-ENT chooses 
an open leaf node e;, and a proof 
tule PR; to apply. If is-closed(7;) returns valid (that is, every leaf is applied to an 
axiom rule or involved in a back-link), w-ENT returns valid on line 4. If it returns 
invalid, then w-ENT returns invalid (one line 5). Otherwise, it tries to link e; back to 
an internal node (on line 6). If this attempt fails, it applies the rule (line 7). 

Note that at each leaf, is_closed attempts rules in the following order: normaliza- 
tion rules, axiom rules, and reduction rules. A rule PR; is chosen if its conclusion can 
be unified with the leaf through some substitution ø. Then, on line 7, for each premise 
of PR;, procedure apply creates a new open node and connects the node to e; via a 
new edge. If PR; is an axiom, procedure apply marks e; as closed and returns. 


Fig. 1: Proof tree construction procedure 


Procedure is_closed(7;) This procedure examines the following three cases. 


1. First, if all leaf nodes are marked closed, and none is invalid, then is_closed 
returns valid. 
2. Secondly, is_closed returns invalid if there exists an open leaf node e; : At A’ 
in NF such that one of the four following conditions hold: 
(a) e; could not be applied by any inference rule. 
(b) there exists a predicate opı(E) € A such that op2(E) ¢ A’ and one of the 
following conditions holds: 
- either P(E’, E,...) or E'—>c(E,..) are on both sides 
- both P(E’,E,...) g A and E'>c(E,..) g A 
(c) there exists a predicate opı(E)E€ A’ such that G(op;(F))€A and opo (E)¢A. 
(d) there exist a++c1(01) € A, zc (V2) € A’ such that cı Æ cg or 0) Fo. 
3. Lastly, an open leaf node e; could be applied by an inference rule (e.g. PR), 
is_closed returns the triple (unknown, e;, PR;). 


In the rest, we discuss the proof rules and the auxiliary procedures in detail. 
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Normalisation An entailment is in the normal form (NF) if its LHS is in NF. We write 
op( E) to denote for either E—>c(v) or P(E, F',B,v). Furthermore, the guard G(op(E)) 


is defined by: G(E++c(v)) © true and G(P(E,F,B,0)) & BAF. 


Definition 3 (Normal Form) A formula k^Aġ^a is in normal form if: 


1. op(E) € & implies G(op(E)) € ¢ 4. E1=E: ¢ o 
2. op( E) € «K implies EAnu1l1 € ¢ 5. EAE € o 
3. opi (E1) x opo( E2) € K implies Ey AE2 € Q 6. a is satisfiable 


If A is in NF and for any s, h = A, then dom(h) is uniquely defined by s. 

The normalisation rules are presented in Fig. 2. Basically, w-ENT applies these rules 
to a leaf exhaustively and transforms it into NF before others. Given an inductive pred- 
icate P(E, F, ...), rule ExM excludes the middle by doing case analysis for the predicate 
between base-case (i.e., /=F’) and recursive-case (i.e., EAF’). The normalisation rule 
#null follows the following facts: E-+c(_) = EAnull and P(L,F,)AEAF => 
E#null. Similarly, rule Æ» follows the following facts: a-4_*P(y,F,.)AyAF > 
TAY, To_*xy_ => sy, and P; (x, F),_)*P;(y,Fo,-)At#F Ay#F > rFy. 


Axiom and Reduction Axiom rules include Emp, Inconsistency and Id, presented in 
Fig. 3. If each of these rules is applied to a leaf node, the node is evaluated as valid 
and marked as closed. The remaining ones in Fig. 3 are reduction rules. 

For simplicity, the unfoldings in rules Frame, RInd, and LInd are applied with the 
following definition of inductive predicates: 


P(x,F,B,u,sc,tg) = emp\x=F Asc=tg g 
V AX, sc’ dy ,d2.x>c(X ,d1,d2,u,8c)*Q1(d1,B)*Q2(d2,X )*P(X,F,B,u,sc',tg)^To 


where BEB, the matrix «’ contains two nested predicates Qı and Qs, and the heap 
cell c € Node is defined as data c{c neat; cı downy; cp downs; Ts scdata; Tu udata} 
where c1, C2€ Node, down, and downs fields are for the nested predicates in the matrix 


== = / 
A[E/a] H A'[E/2] mere. 

Subst 7 ANE FE2 a A FE, =Ex2, EE, AE. & 
AArz=Et A ExM At a FV(E1, E2) C (FV(A)UFV(A’))S 
> AFA E (kAT)|tg/sc] F A’[tg/sc] 

Ez ase = 
A^AE=EF A’ P(E,E,B,u,sc,tg)xkAT F A’ 
op(E)*xkAntAG(op(E))AEAnull + A’ 
null EAnull¢gr 


op(E)*kAtAG(op(E)) H A’ 


opi (E1)*op2(E2)*k\tA Ey AE 2+ A’ 
" E1#E2¢7 and G(opı (E1)), G(op2(E2)) € m 
opı(E1)x*op2(E2)xkAT F A’ 


Fig. 2: Normalization rules 


486 Q. L. Le et al. 


Id Emp Inconsistency ————————_ T H= false 
AATrTEKA emp/\7 F emp/Atrue KATE A 
f 1 f = 
=R — AFA Hypothesis AAnk A Tle’ RBase AMA Nigee 
At A'AE=E AArk AAT’ AF P(E,E,B,u,8c,tg)*A’ 


KIATE kg KATE RAT! roots(K1) Mroots(K) = 0 & FV(K2) CFV(K1A7)U{null} 
KI*KAT F Kok! AT’ & FV(k')CFV(kAT)U{nul1l} 
Q1(£1,B)°*Qo(E2,X)°*P(X,F,B,u,sc!,tg)** A1A£ŻF3^T0 
+ Q(x, F3, B,u,sc,tg2)*K2AT2 


Frame xoc(-)grk2 


P(2,F,B,u,sc,tg)** A, AaZF3 H woc(X,E1,E2,u,sc!)*k2AT2 


aoc(X,F1,E2,u,sc')*Kn Am ALAF 
E x=ec(X,Eı „E2,u,sc')*Q1 (E1 ,B)*Q2(E2,X)*P(X,F,B,u,sc',tg)*k2AT2AT0 


RInd = 
ar>c(X,E£1,F2,u,sc’)*ki Am ArZzF + P(x, F,B,u,sc,tg)*k2AT2 


aoc(X,F1,F2,u,sc’)*Q1(E1,B)9*Qo(E2,X)°*P(X,F,B,u,sc',tg)*t «Ai AcZF3Ar0 
+ Q(a,F3,B,u,sc,tg2)*KaAT2 


LInd = = t 
P(a,F',B,u,sc,tg)** A, Ar¢F3 + Q(a,F3,B,u,sc,tg2)*k2\T2 


Fig. 3: Reduction rules (where {: P(x,F',B,u,sc,tg) Zk, t: v-c(X,E,E>,u,8c')¢K2) 


heaps, the udata field is for the transitivity data, and the scdata field is for ordering 
data. The rules for the general form of the matrix heaps «’ are presented in [28]. 

=R and Hypothesis eliminate pure constraints in the RHS. In rule x, roots(s) is 
defined inductively as: roots(emp)={}, roots(rH_)={r}, roots(P(r, F,..))={r} 
and roots(k1*k2) = roots(K,)Uroots(K2). This rule is applied in three ways. First, 
it is applied into an entailment which is of the form «Aa F «A7. It matches and dis- 
cards the identified heap predicates between the two sides to generate a premise with 
empty heaps. As a result, this premise may be applied with the axiom rule EMP. Sec- 
ondly, it is applied to an entailment of the form x; c; (Ui )*...xEn Cn (Un) AT F K'A. 
For each points-to predicate x;++c;(0;)€xK', w-ENT searches for one points-to predicate 
xj++c;(v;) in the LHS such that «j++; (v;) = v;++c¢;(0;). Lastly, it is applied into an 
entailment that is of the form A, * A F As * A’ where either A, F Az or At A’ could 
be linked back into an internal node. 

In RInd, for each occurrence of inductive predicates P(r,F',B,u,sc,tg) in K’, w-ENT 
searches for a points-to predicate r++ _. If any of these searches fail, w-ENT decides the 
conclusion as invalid. Rule LInd unfolds the inductive predicates in the LHS. Every 
LHS of entailments in this rule also captures the unfolding numbers for the subterm 
relationship and generates the progressing point in the cyclic proofs afterwards. These 
numbers are essential for our system to construct cyclic proofs. This rule is applied in a 
depth-first manner, i.e., if there are more than one occurrences of inductive predicates in 
the LHS that could be applied by this rule, the one with the greatest unfolding number 
is chosen. We emphasise that the last five rules still work well when the predicate in the 
RHS contains only a subset of the local properties wrt. the predicate in the LHS. 
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Back-Link Generation Procedure 1ink_back, generates a back-link as follows. In a pre- 
proof, given a path containing a back-link, say e1, e2,..,@m where e; is a companion 
and em a bud, then e; is in NF and of the following form: 


— e,=P(2,F,B,u,sc,tg)**kAnA\cAF AcAnull | Q(2,F2,B,u,sc,tgz)*K! An". 
— eņ is obtained from applying LInd into e1. e2 is of the form: 


rrHc(X, p, u,8¢)*k/ «P(X ,F,B,u,sc’,tg)*t eKAnAcXA£F Acénull Am 
+ Q(x, F2,B,u,sc,tgg)*K’ AT" 


We remark that sco sc’ € 7, and if k > 1, then sc; © sc € m 

— €3,.., @m—a are obtained from applications of normalisation rules to normalise the 
LHS of e2 due to the presence of «’. As the roots of inductive predicates in «’ are 
fresh variables, the applications of the normalization rules above do not affect the 
RHS of e2. That means the RHS of e3, .., and em—4 are the same as that of e2. As 
a result, em—4 is of the form: 


x-+c(X, p, ,u,sc)*K 4 *P(X,F,B,u,sc’,tg)*txKAnAcAéF AcAnullAm AT 
F Q(z, Fo, B,u,sc,tg2)* KAT" 


where «Y may be emp and 72 is a conjunction of disequalities coming from ExM. 
— em-3 is obtained from the application of ExM over x and F> and of the form: 


xrHc(X, p, u,8¢)*K] *P(X,F',B,u,sc,tg)*t eK AnAcX¢F AcAnullAm Ar 
ALEF, | Q(2,F>,B,u,sc,tga)*n! Ar 


(For the case x=F, the rule ExM is kept applying until either F = F3, that is, two 
sides are reaching the end of the same heap segment, or it is stuck.) 
— em-2 is obtained from the application of RInd and is of the form: 


xrc(X, p, {u,8c)*K *P(X ,F',B,u,sc’tg)*t *KAnAc#F Ax AnullAm Ar 
ALEF bk ac(X,p,u,sc)*k4*Q(X ,Fo,B,u,sc!,tgo)*n! An’ Ars 


— €_1 is obtained from the application of the Hypothesis to eliminate 74 (other- 
wise, it is stuck) and is of the form: 


x-+c(X, p, ,u,sc)*K *P(X ,F,B,u,sc’,tg)*t xKAnAcAéF AcAnullAm AT 
ATF F ac(X,p,u,sc)*k5*Q(X ,Fo,B,u,sc',tgo)*xn' An! 


— €m is obtained from the application of « and is of the form: 


P(X,F,B,u,sc’,tg)*t x5AnAcA#F AcAnullAmAtAcZFo 
F Q(X, F2,B,u,sc tgo )*k' AT" 


When k > 1, it is always possible to link em back to eı through the substitution is 
o=|«/X, sc/sc’| after weakening some pure constraints in its LHS. 
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eo < 
Lind | dej 
e1 Sa 
ExM~ xM ~ [æ/X,mi/m'] 
e2 e3 a 
Subst“ ` 
ia Zx +RInN 
LBase~ 29 
e5 HypothesiN 
RInd/ e10 
e6 w SA i 
| Hypothesis+RBase €11 e12 
e7 
* | 
eg 


Fig. 4: Cyclic Proof of 11s(z,null,mi, ma)°AvAnull F 11b(z,null,mi). 


4.2 Illustrative Example 
We illustrate our system through the following example: 
eo: 1ls(x#,null,mi,ma)? A xAnull F 11b(z,nu11,mi) 


where the sorted linked-list 11s (mi is the minimum value and ma is the maximum 
value) is defined in Sect. 2.1 and 11b define singly-linked lists whose values are greater 
than or equal to a constant number. Particularly, predicate 11b is defined as follows. 


pred 11b(r,F,b) = empAr=F 
V 3Xu,d.r>c4(Xu,d) x 1lb(Xu,F,b)ArÆF A b<d 


Since the LHS is stronger than the RHS, this entailment is valid. Our system could 
generate the cyclic proof (shown in Fig. 4) to prove the validity of eo. In the following, 
we present step-by-step to show how the proof was created. Firstly, eg, which is in NF, 
is applied with rule Lind to unfold predicate 11s(x,nul1,mi,ma)° and obtain e; as: 


e1: a+4c4(X,m’) *11s(X null,m’,ma)! A eAnull A mi<m’ + 11b(z,nu11,mi) 


We remark that the unfolding number of the recursive predicate 11s in the LHS is 
increased by 1. Next, our system normalizes e; by applying rule ExM into X and null 
to generate two children, e2 and es, as follows. 


e2: r->c4(X,m’) *11s(X null,m’,ma)' A vAnull A mi<m’' ^ X=null 
- 11b(x2,null,mi 
e3: tHc4(X,m’) * lla 


- 11lb(x,null,mi 


X,null,m’,ma)! A xAnull A mi<m' \ XAnull 


SS oN NS oN 


For the left child, it applies normalization rules to obtain e4 (substitute X by null) 
and then es, by LBase to unfold 11s(nu11,nul1,m’,ma)! to the base case, as: 


e4: a+c4(null, m’) *11s(nul1,null,m’,ma)' A «Anull A mi<m’ + 11b(x,null,mi) 
e5: c++c4(null, ma) A eAnull A mi<mat 11b(a,nul1,mi) 


An Efficient Cyclic Entailment Procedure in a Fragment of Separation Logic 489 


Now, es is in NF. $2S,in applies RInd and then RBase to 11b in the RHS as: 


eg: @>c4(null, ma) A vAnull A mi<ma 
H a+c4(null, ma) *11b(null,null,mi) A mi<ma 
eg: rca (null, ma) A vAnull A mi<ma F a+cy(null, ma)Ami<ma 


After that, as mi<ma => mi<ma, eg is applied with Hypothesis to obtain e7. 
e7: a>c4(null, ma) A x#null A mi<ma H xc, (null, ma) 


As the LHS of e7 is in NF and a base formula, it is sound and complete to apply rule * 
to have eg as emp \ xAnull A mi<mat emp. By Emp, eg is decided as valid. For the 
right branch of the proof, e3 is applied with rule 4x and then RInd to obtain eg: 


e9: t+->c4(X,m’)*11s(X nullym’,ma)! A vAnull A mi<m’ A XAnull ^A zX 
F ar>c4(X,m’)*11b(X null,mi)Ami<m’ 


Then, eg is applied with Hypothesis to eliminate the pure constraint in the RHS: 


e10: t+c4(X,m’)*11s(X null,m’,ma)! A xAnull A mi<m ^ XAnull A c4#X 
F ar+c4(X, m’)*11b(X ,null,mi) 


e10 is then applied the rule * to obtain e11 and e12 as follows. 


e11: tca(X,m’) F xc (X, m’) 
e12: 1ls(X null, m’ ,ma) A z#null A mi<m A XAnull A zX F 11b(X null,mi) 


e11 is valid by Id. e12 is successfully linked back to eg to form a pre-proof as 
(11s(X null,m’,ma)'AXAnul1)[x/X, mi/m’] + 11b(X ,null1,mi)[x/X,mi/m’] 


is identical to eo. Since 11ls(X,null,m’,ma)! in ej2 is the subterm of 
11s(x,null,mi,ma)° in eo, our system decided that eo is valid with the cyclic proof 
presented in Fig. 4. 


5 Soundness, Completeness, and Complexity 


We describe the soundness, termination, and completeness of w-ENT. First, we need to 
show the invariant about the quantifier-free entailments of our system. 


Corollary 1. Every entailment derived from w-ENT is quantifier-free. 
The following lemma shows the soundness of the proof rules. 


Lemma 1 (Soundness). For each proof rule, the conclusion is valid if all premises are 
valid. 


As every backlink generated contains at least one pair of inductive predicate occur- 
rences in a subterm relationship, the global soundness condition holds in our system. 


Lemma 2 (Global Soundness). A pre-proof derived is indeed a cyclic proof. 
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The termination relies on the number of premises/entailments generated by *. As 
the number of inductive symbols and their arities are finite, there is a finite number of 
equivalence classes of these entailments in which any two entailments in the same class 
are equivalent under some substitution and linked back together. Therefore, the number 
of premises generated by the rule » is finite, considering the back-links generation. 


Lemma 3. w-ENT terminates. 


In the following, we show the complexity analysis. First, we show that every occur- 
rence of inductive predicates in the LHS is unfolded at most two times. 


Lemma 4. Given any entailment P(v)* * Aa F Ac, 0 < k < 2. 


Let n be the maximum number of predicates (both inductive predicates and points-to 
predicates) among the LHS of the input and the definitions in P, and m be the maximum 
number of fields of data structures. Then, the complexity is defined as follows. 


Proposition 1 (Complexity). QF _ENT—SLy1y is O(n x 2™ + n°). 


If m is bounded by a constant, the complexity becomes polynomial in time. 

Our completeness proofs are shown in two steps. First, we show the proofs for an 
entailment whose LHS is a base formula. Second, we show the correctness when the 
LHS contains inductive predicates. In the following, we first define the base formulas 
of the LHS derived by w-ENT from occurrences of inductive predicates. Based on that, 
we define bad models to capture counter-models of invalid entailments. 


Definition 4 (SHLIDe Base) Given k, define R as follows. 


P(E,F,B,u,sc,tg) £ Ec(F,E1,E,u,tg) * Q (E1,B)*Q2(E2,F)AT0 


Ec(b) Y Boe) emp £ emp KI*K2 H koxka 


The definition for general predicates with arbitrary matrix heaps is presented in [28]. 
As P does not include mutual recursion (Condition C3), the definition above terminates 
in a finite number of steps. In a pre-proof, these SHLIDe base formulas of the LHS are 
obtained once every inductive predicate has been unfolded. 


Lemma 5. If k Ar is in NF, then R ^rt isin NF, and R ATF « is valid. 


In other words, & ^ m is an under-approximation of « A^ 7; invalidity of k A m F A’ 
implies invalidity of x A r A’. 


Definition 5 (Bad Model) The bad model for R ^ @ ^a in NF is obtained by assigning 


- a distinct non-null value to each variable in FV(R ^ ¢); and 
- a value to each variable in FV(a) such that a is satisfiable. 


Lemma 6. /. For every proof rule except the rule x, all premises are valid only if the 
conclusion is valid. 
2. For the rule x, where the conclusion is of the form AÈ + x’, all premises are valid 
only if the conclusion is valid and A? is in NF. 
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The following lemma states that the correctness of the procedure is_closed for cases 
2(b-d). 


Lemma 7 (Stuck Invalidity). Given kAn + A’ in NF, it is invalid if the procedure 
is_closed returns invalid for cases 2(b-d). 


A bad model of the KAT is a counter-model. Cases 2b) and 2c) show that the heaps 
of bad models are not connected, and thus accordingly to conditions C1 and C2, any 
model of the LHS could not be a model of the RHS. Case 2d) shows that heaps of 
the two sides could not be matched. We next show the correctness of Case 2(a) of the 
procedure is_closed, and invalidity is preserved during the proof search in w-ENT. 


Proposition 2 (Invalidity Preservation). If w-ENT is stuck, the input is invalid. 


In other words, if w-ENT returns invalid, we can construct a bad model. 


Theorem 2. QF_ENT—SLrqy is decidable. 


6 Implementation and Evaluation 


We implement $2S;;, using OCaml. This implementation is an instantiation of a general 
framework for cyclic proofs. We utilize the cyclic proof systems to derive bases for in- 
ductive predicates shown in [24] to discharge satisfiability of separation logic formulas. 
We use the solver presented in [29,31] for those formulas beyond this fragment. We 
also develop a built-in solver for discharging equalities. 

We evaluated S2SLin to show that i) it can discharge problems in SHLIDe effectively; 
and ii) its performance is compatible with state-of-the-art solvers. The evaluation of 
S2S.in is provided as a companion artifact [27]. 


Experiment settings We have evaluated $2S;;n on entailment problems taken from SL- 
COMP benchmarks [38], a competition of separation logic solvers. We take 356 prob- 
lems (out of 983) in two divisions of the competition, gf_shls_entl and qf_shlid_entl, 
and one new division, gf_shlid2_entl. All these problems semantically belong to our 
decidable fragment, and their syntax is written in SMT 2.6 format [39]. 


— Division gf_shls_entl includes 296 entailment problems, 122 invalid problems and 
174 valid problems, with only singly-linked lists. The authors in [33] randomly 
generated them 

— Division gf_shlid_entl contains 60 entailment problems which the authors in [15] 
handcrafted. They include singly-linked lists, doubly-linked lists, lists of singly- 
linked lists, or skip lists. Furthermore, the system of inductive predicates must sat- 
isfy the following condition: For two different predicates P, Q in the system of 
definitions, either P <% Q or Q <} P. 

— In the third division, we introduce new benchmarks, with 27 problems, beyond the 
above two divisions. In particular, every system of predicate definitions includes 
two predicates, P and Q, that are semantically equivalent. We have submitted this 
division to the Github repository of SL-COMP. 
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Table 1: Experimental results 


Tool gf shls_entl gf -shlid_entl gf shlid2_entl 
invalid|valid| Time |invalid|valid| Time |invalid|valid| Time 
(122) | (174)] (296) (24) (36) (60) (14) (13) (27) 
SLS 12 174 |507m42s 2 35 |133m28s 0 11 | 97m54s 
Spen 122 174 | 10.78s 14 13 3.44s 8 2 1.69s 
Cyclists, 0 58 |1520m5s 0 24 |360m38s 0 3 240m3s 
Harrsh 39 116 |425m19s 18 27 +| 53m56s 8 7 |156m45s 
Songbird 12 174 |237m25s 2 35 | 40m38s 0 12 |47m11s 
S2Srin 122 174 6.22s 24 36 0.96s 14 13 1.20s 


To evaluate $2S;;,’s performance, we compared it with the state-of-the-art tools such 
as Cyclists, [5], Spen [15], Songbird [40], SLS [41] and Harrsh [23]. We omitted Cy- 
comp [42], as these benchmarks are beyond its decidable fragment. Note that Cyclists,, 
Songbird and SLS are not complete; for non-valid problems, while Cyclists, returns 
unknown, Songbird and SLS use some heuristic to guess the outcome. For each division, 
we report the number of correct outputs (invalid, valid) and the time (in minutes and 
seconds) taken by each tool. Note that we use the status (invalid, valid) annotated 
with each problem in the SL-COMP benchmark as the ground truth. If the output is the 
same as the status, we classify it as correct; otherwise, it is marked as incorrect. We 
also note that in these experiments, we used the competition pre-processing tool [39] to 
transform the SMT 2.6 format into the corresponding formats of the tools before run- 
ning them. All experiments were performed on an Intel Core 17-6700 CPU 3.4Gh and 
8GB RAM. The CPU timeout is 600 seconds. 


Experiment results The experimental results are reported in Table 1. In this table, the 
first column presents the names of the tools. The following three columns show the 
results of the first division, including the number of correct invalid outputs, the number 
of correct valid outputs and the taken time (where m for minutes and s for seconds), 
respectively. The number between each pair of brackets (...) in the third row shows the 
number of problems in the corresponding column. Similarly, the following two groups 
of six columns describe the results of the second and third divisions, respectively. 

In general, the experimental results show that S2Stin is the one (and only one) 
that could produce all the correct results. Other solvers either produced wrong re- 
sults or could discharge a fraction of the experiments. Moreover, S2S,in took a short 
time for the experiments (8.38 seconds compared to 15.91 seconds for Spen, 324 min- 
utes for Songbird, 635 minutes for Harrsh, 739 minutes for SLS and 2120 minutes 
for Cyclists,). While SLS returned 14 false negatives, Spen reported 20 false pos- 
itives. Cyclists, Songbird and Harrsh did not produce any wrong results. Of 569 
tests, Cyclists, could handle 85 tests (15%), Harrsh could handle 215 tests (38%), and 
Songbird could decide on 235 tests (41.3%). In the total of 223 valid tests, Cyclists, 
could handle 85 problems (38%), and Songbird could decide 222 problems (99.5%). 

Now we examine the results for each division in detail. For gf_shls_entl, Spen re- 
turned all correct, Songbird 186, Harrsh 155, and Cyclists, 58. If we set the timeout 
to 2400 seconds, both Songbird and Harrsh produced all the correct results. Division 
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gf -shlid_entl includes 24 invalid problems and 36 valid problems. While Songbird 
produced 37 problems correctly, Cyclists, produced 24 correct results. Spen reported 
27 correct results and 13 false positives (sk12—vc{01 — 04} sk13—vc01, sk13—vc{03 — 
10}). The last division, gf_shlid2_entl, includes 14 invalid and 13 valid test prob- 
lems. While Songbird decided only 12 problems correctly, Cyclists, produced 3 cor- 
rect outcomes. Spen reported 10 correct results. However, it produced 7 false positives 
(1s—mul—vc{01 — 03}, 1s—mul—vc05, nll—mul—vc{01 — 03}). We believe that engi- 
neering design and effort play an essential role alongside theory development. Since our 
experiments provide breakdown results of the two SL-COMP competition divisions, we 
hope that they provide an initial understanding of the SL-COMP benchmarks and tools. 
Consequently, this might reduce the effort to prepare experiments over these bench- 
marks to evaluate new SL solvers. Finally, one might point out that $2S;;, performed 
well because the entailments in the experiments are within its scope. We do not en- 
tirely disagree with this argument but would like to emphasize that tools do not always 
work well on favourable benchmarks. For example, Spen introduced wrong results on 
gf shlid_entl, and Harrsh did not handle gf_shlid_entl and qf_shlid2-entl well, although 
these problems are in their decidable fragments. 


7 Related Work 


S2Stin is a variant of the cyclic proof systems [3,4,5,26] and [42]. Unlike existing 
cyclic proof systems, the soundness of $2S;in is local, and the proof search is not back- 
tracking. The work presented in [42] shows the completeness of the cyclic proof system. 
Its main contribution is introducing the rule « for those entailments with a disjunction in 
the RHS obtained from predicate unfolding. In contrast to [42], our work includes nor- 
malization to soundly and completely avoid disjunction in the RHS during unfolding. 
Moreover, our decidable fragment SHLIDe is non-overlapping to the cone predicates 
introduced in [42]. Furthermore, due to the empty heap in the base cases, the match- 
ing rule in [42] cannot be applied to the predicates in SHLIDe. Finally, our work also 
presents how to obtain the global soundness condition for cyclic proofs. 

Our work relates to the inductive theorem provers introduced in [10], [40] and 
Smallfoot [2]. While [10] is based on structural induction, [40] is based on mathematical 
induction. Smallfoot [2] proposed a decision procedure for linked lists and trees. It used 
a fixed compositional rule as a consequence of induction reasoning to handle inductive 
entailments. Compared with Smallfoot, our proof system replaces the compositional 
rule by combining rule Lind and the back-link construction. Our system could support 
induction reasoning on a much more expressive fragment of inductive predicates. 

Our proposal also relates to works that use lemmas as consequences of induction 
reasoning [2,16,30,41]. These works in [16,25,30,41] automatically generate lemmas 
for some classes of inductive predicates. S2 [25] generated lemmas to normalize (such 
as split and equivalence) the shapes of the synthesized data structures. [16] proposed 
to generate several sets of lemmas not only for compositional predicates but also for 
different predicates (e.g., completion lemmas, stronger lemmas and static parameter 
contraction lemmas). SLS [41] aims to infer general lemmas to prove an entailment. 
Similarly, S2ENT [30] solves a more generic problem, frame inference, using cyclic 
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proofs and lemma synthesis. It infers a shape-based residual frame in the LHS and then 
synthesizes the pure constraints over the two sides. 

S2Srin relates to model-based decision procedures that reduce the entailment prob- 
lem in separation logic to a well-studied problem in other domains. For instance, in 
[8,11,17], the entailment problem, including singly-linked lists and their invariants, is 
reduced to the problem of inclusion checking in a graph theory. The authors in [18] 
reduced the entailment problem to the satisfiability problem in second-order monadic 
logic. This reduction could handle an expressive fragment of spatial-based predicates 
called bounded-tree width. Moreover, the work presented in [23] shows a model-based 
decision procedure for a subfragment of the bounded-tree width. Furthermore, while 
the work in [15,19] reduced the entailment problem to the inclusion checking problem 
in tree automata, [21] presented an idea to reduce the problem to the inclusion checking 
problem in heap automata. Moreover, while the procedure in [15] supported compo- 
sitional predicates (single and double links) well, the procedure in [19] could handle 
predicates satisfying local properties (e.g., trees with parent pointers). Our decidable 
fragment subsumes the one described in [2,11,15] but is incomparable to the ones pre- 
sented in [8,17,18,19]. Works in [34] and [35,36] reduced the entailment problem in 
separation logic into the satisfiability problem in SMT. While GRASShoper [35,36] 
could handle transitive closure pure properties, S2S,in is capable of supporting local 
ones. Unlike GRASShoper, which reduces entailment into SMT problems, $2S;;, re- 
duces an entailment to admissible entailments and detects repetitions via cyclic proofs. 

Decidable fragments and complexity results of the entailment problem in separa- 
tion logic with inductive predicates were well studied. The entailment is 2-EXPTIME 
in cone predicates [42], the bounded tree-width predicates and beyond [18,14], and 
EXPTIME in a sub-fragment of cone predicates [19]. In the other class, entailment is 
in polynomial time for singly-linked lists [11] and semantically linear inductive predi- 
cates [15]. Moreover, the extensions with arithmetic [17] are in polynomial but become 
EXPTIME when the lists are extended with double links [8]. SHLIDe (with nested lists, 
trees and arithmetic properties) is roughly in the “middle” of the two classes above. The 
entailment is EXPTIME and becomes polynomial under the upper bound restriction. 


8 Conclusion 


We have presented a novel decision procedure for the quantifier-free entailment prob- 
lem in separation logic combined with inductive definitions of compositional predicates 
and pure properties. Our proposal is the first complete cyclic proof system for the prob- 
lem in separation logic without back-tracking. We have implemented the proposal in 
S2Stin and evaluated it over the set of nontrivial entailments taken from the SL-COMP 
competition. The experimental results show that our proposal is effective and efficient 
when compared to the state-of-the-art solvers. For future work, we plan to develop a bi- 
abductive procedure based on an extension of this work with the cyclic frame inference 
procedure presented in [30]. This extension is fundamental to obtaining a composi- 
tional shape analysis beyond the lists and trees. Another work is to formally prove that 
our system is as strong as Smallfoot in the decidable fragment with lists and trees [2]: 
Given an entailment, if Smallfoot can produce proof, so is S2Szin. 
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Abstract. The concept of must testing is naturally parametrised with 
a chosen completeness criterion, defining the complete runs of a sys- 
tem. Here I employ justness as this completeness criterion, instead of 
the traditional choice of progress. The resulting must-testing preorder is 
incomparable with the default one, and can be characterised as the fair 
failure preorder of Vogler. It also is the coarsest precongruence preserving 
linear time properties when assuming justness. 

As my system model I here employ Petri nets with read arcs. Through 
their Petri net semantics, this work applies equally well to process alge- 
bras. I provide a Petri net semantics for a standard process algebra ex- 
tended with signals; the read arcs are necessary to capture those signals. 


1 Introduction 


May- and must-testing was proposed by De Nicola & Hennessy in [9]. It yields 
semantic equivalences where two processes are distinguished if and only if they 
react differently on certain tests. The tests are processes that additionally fea- 
ture success states. A test 7 is applied to a process N by taking the CCS 
parallel composition 7|N, and implicitly applying a CCS restriction operator to 
it that removes the remnants of unsuccessful communication. Applying 7 to N 
is deemed successful if and only if this composition yields a process that may, 
respectively must, reach a success state. It is trivial to recast this definition using 
the CSP parallel composition ||,4 [39] instead of the one from CCS. 

It is not a priori clear how a given process must reach a success state. For all 
we know it might stay in its initial state and never take any transition leading 
to this success state. To this end one must employ an assumption saying that 
under appropriate circumstances certain enabled transitions will indeed be taken. 
Such an assumption is called a completeness criterion [18]. The theory of testing 
from [9] implicitly employs a default completeness criterion that in [25] is called 
progress. However, one can parameterise the notion of must testing by the choice 
of any completeness criterion, such as the many notions of fairness classified in 
[25]. Here I employ justness, a completeness criterion that is better justified than 
either progress or fairness [25]. 
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The resulting must-testing equivalence is incomparable to the progress-based 
one from [9]. On the one hand, it no longer distinguishes deadlock and livelock, 
i.e., the Petri nets N and N’ of Ex. 3; on the other hand, it keeps recording 
information past a divergence. I characterise the corresponding preorder as the 
fair failure preorder of Vogler [43], which using my terminology ought to be 
called the just failures preorder. I show that it also is the coarsest precongruence 
preserving linear time properties when assuming justness. Finally I show that 
the same preorder originates from the timed must-testing framework explored 
in [43], but only if all quantitative information is removed from that approach. 

I carry out this work within the model of Petri nets extended with read arcs 
[35,7], so that it also applies to process algebras through their standard Petri 
net semantics. The extension with read arcs is necessary to capture signalling, a 
process algebra operator that cannot be adequately modelled by standard Petri 
nets. Signalling, or read arcs, can be used to accurately model mutual exclusion 
without making a fairness assumption [43,8,11]. This is not possible in standard 
Petri nets [31,43,24], or in process algebras with a standard Petri net semantics 
[24]. Here I give a Petri net semantics of signalling, and illustrate its use in 
modelling a traffic light, interacting with passing cars. 


Acknowledgement I am grateful to Weiyou Wang for valuable feedback. 


2 Labelled Petri nets with read arcs 


I will employ the following notations for multisets. 


Definition 1 Let X be a set. 


— A multiset over X is a function A: X > N, ie. A € NŽ. 

— x € X isan element of A, notation x € A, iff A(x) > 0. 

— For multisets A and B over X I write A C B iff A(x) < B(x) for all x € X; 
AU B denotes the multiset over X with (AU B)(x) := max( A(x), B(x)), 
AN B denotes the multiset over X with (AN B)(x) := min( A(x), B(x)), 

A + B denotes the multiset over X with (A + B)(x) := A(x) + B(x), 
A -— B is given by (A — B)(x) := max( A(x) — B(x), be and 
for k € N the multiset k- A is given by (k- A)(x) := k - A(x). 

— The function Ø: X — N, given by O(a) := 0 for i x € X, is the empty 
multiset over X. 

— The cardinality |A| of a multiset A over X is given by |A| := X pex A(2). 

— A multiset A over X is finite iff |A| < 00, i.e., iff the set {x | x € A} is finite. 


With {x, x, y} I denote the multiset over {x,y} with A(x)=2 and A(y)=1, rather 
than the set {x,y} itself. A multiset A with A(x) < 1 for all x is identified with 
the set {z | A(x) = 1}. 


I employ general labelled place/transition systems extended with read arcs [35,7]. 
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Definition 2 Let A be a set of visible actions and T Z A be an invisible action. 
Let A; := A Ù {7}. A (labelled) Petri net (over A) is a tuple (S,T, F, R, Mo, © 
where 

— Sand T are disjoint sets (of places and transitions), 

— F:((SxT)U(T x S)) +N (the flow relation including arc weights), 

— R:SxT-N (the read relation), 

— Mo : S —> N (the initial marking), and 

— L:T —> A (the labelling function). 


Petri nets are depicted by drawing the places as circles and the transitions as 
boxes, containing their label. Identities of places and transitions are displayed 
next to the net element. When F(x,y) > 0 for x,y E€ SUT there is an arrow 
(arc) from z to y, labelled with the arc weight F(x,y). Weights 1 are elided. An 
element (s, t) of the multiset R is called a read arc. Read arcs are drawn as lines 
without arrowhead. When a Petri net represents a concurrent system, a global 
state of this system is given as a marking, a multiset M of places, depicted by 
placing M (s) dots (tokens) in each place s. The initial state is Mo. 

The behaviour of a Petri net is defined by the possible moves between mark- 
ings M and M’, which take place when a finite multiset G of transitions fires. 
In that case, each occurrence of a transition t in G consumes F'(s,t) tokens 
from each place s. Naturally, this can happen only if makes all these tokens 
available in the first place. Moreover, for each t € G there need to be at least 
R(s,t) tokens in each place s that are not consumed when firing G. Next, each 
t produces F(t, s) tokens in each place s. Definition 4 formalises this notion of 
behaviour. 


Definition 3 Let N = (S,T, F, R, Mo, £) be a Petri net. The multisets Eht: 
S — N are given by t(s) = R(s,t), °t(s) = F(s, t) and t° (s) = F(t, s) for all se 5. 
The elements of t, °t and t° are called read-, pre- and postplaces of t, respectively. 
These functions extend to finite multisets G: T + N by G := Useg t, “G:= 


Vier Gt) -°t and G* = Yer GI) te 


Definition 4 ([7]) Let N=(S,T, F, R, Mo, £) be a Petri net, GENT non-empty 
and finite, and M, M' € N”. G is a step from M to M', written M [G)n M', iff 
— °G+GCM (G is enabled) and 
- M'=(M-°Q®Q) +G. 


Note that steps are (finite) multisets, thus allowing self-concurrency, i.e. the 
same transition can occur multiple times in a single step. One writes M |t) M’ 
for M [{t})~ M’, whereas M[t)y abbreviates IM’. M [t)y M’. The subscript 
N may be omitted if clear from context. 

In my Petri nets transitions are labelled with actions drawn from a set 
AU {r}. This makes it possible to see these nets as models of reactive sys- 
tems that interact with their environment. A transition t can be thought of as 
the occurrence of the action ¢(t). If L(t) € A, this occurrence can be observed and 
influenced by the environment, but if Z(t) =7, it cannot and t is an internal or 
silent transition. Transitions whose occurrences cannot be distinguished by the 
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environment carry the same label. In particular, since the environment cannot 
observe the occurrence of internal transitions at all, they are all labelled 7. 

In [31,43,24] it was established that mutual exclusion protocols cannot be 
correctly modelled in standard Petri nets (without read arcs, i.e., satisfying 
R(s,t) =0 for all s € S and t € T), unless their correctness becomes contin- 
gent on making a fairness assumption. In [24] it was concluded from this that 
mutual exclusion protocols can likewise not be correctly expressed in standard 
process algebras such as CCS [34], CSP [6] or ACP [4], at least when sticking to 
their standard Petri net semantics. Yet Vogler showed that mutual exclusion can 
be correctly modelled in Petri nets with read arcs [43], and [8,11] demonstrate 
how mutual exclusion can be correctly modelled in a process algebra extended 
with signalling [3]. Thus signalling adds expressiveness to process algebra that 
cannot be adequately modelled in terms of standard Petri nets. This is my main 
reason to use Petri nets with read arcs as system model in this paper. 

In many papers on Petri nets, the sets of places and transitions are required 
to be finite, or at least countable. Here I need a milder restriction, and will limit 
attention to nets that are finitary in the following sense. 


Definition 5 A Petri net N = (S, T, F, R, Mo, £) is finitary if Mo is countable, 
t° is countable for all t € T, and moreover the set of transitions t with °t = Ø is 
countable. 


3 A Petri net semantics of CCSP with signalling 


CCSP [37] is a natural mix of the process algebras CCS [34] and CSP [6], often 
used in connection with Petri nets. Here I will present a Petri net semantics 
of a version CCSPS of CCSP enriched with signalling [3]. This builds on work 
from [29,44,27,10,37,38]; the only novelty is the treatment of signalling. Petri 
net semantics of other process algebras, like CCS [34], CSP [6] or ACP [4], are 
equally well known. This Petri net semantics lifts any semantic equivalence on 
Petri nets to CCSPS, or to any other process algebra, so that the results of this 
work apply equally well to process algebras. 

CCSPS is parametrised by the choice of sets A of visible actions and K of 
agent identifiers. Its syntax is given by 


P,Q, P, = uP; | a> uP, | PilaQ | ra(P) | FP) | x 
i€l i€I 
with a,a; €A, ACA, f: A A and K € K. Here the guarded choice 5) ,-; ai Pi 
executes one of the actions a;, followed by the process P;. The process a> P 
behaves as P, except that in its initial state it it is sending the signal a.' ? 
The process P||4Q is the partially synchronous parallel composition of processes 


' The notation a> P follows [8]; in [3,11] this is denoted P^a. 

? Here I require P to be a guarded choice in order to avoid the need for a root condition 
[13] to make the equivalences of this paper into congruences. This is also the reason 
my language features a guarded choice, instead of action prefixing and general choice. 
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P and Q, where actions from A can take place only when both P and Q can 
engage in such an action, while other actions of P and Q occur independently. 
The abstraction operator T4 hides action from A from the environment by re- 
naming them into 7, whereas f is a straightforward relabelling operator (leaving 
internal actions alone). Each agent identifier K comes with a defining equation 
ge P, with P a guarded CCSPS expression; it behaves exactly as the body of 
its defining equation. Here P is guarded if each occurrence of an agent identifier 
within P lays in the scope of a guarded choice }0,-; iP; or a> J jer Pi. 

A formal Petri net semantics of CCSPS, and of each of the operators X`, >, 
|A, Ta and f, appears in [22, Appendix A]. Here I give an informal summary. 

Given nets N; for i€ J, the net >),.,; a;N; is obtained by taking their disjoint 
union, but without their initial markings (Mo);, and adding a single marked 
place r, and for each i € J a fresh transition t;, labelled a;, with °t; = {r}, £=0 
and (*t;) = (Mp)i- 

The parallel composition N||4N’ is obtained out of the disjoint union of N 
and N’ by dropping from N and N’ all transitions t with ¢(t) € A, and instead 
adding synchronisation transitions (t, t’) for each pair of transitions t and t’ from 
N and N’ with L(t) = L(t’) € A. One has °(t,t') := °t + °t, and similarly for 
(t, t’) and (t,t’)*, i.e., all arcs are inherited. 

Ta and f are renaming operators that only affect the labels of transitions. 

The net a> N adds to the net N a single transition u, labelled a, that may 
fire arbitrary often, but is enabled in the initial state of N only. To this end, take 
°u = u° = Ú and @ = Mp, the initial marking of N. I apply this construction 
only to nets for which its initially marked places have no incoming arcs. 


Example 1 A traffic light can be modelled by the recursive equation 


TL tr.tg.(drive > ty. TL). 
Here the actions tr, tg and ty stand for “turn red”, “turn green” and “turn 
yellow”, and drive indicates a state where it is OK to drive through. A sequence 
of two passing cars is modelled as Traffic f drive.drive.0. Here O stands for 
the empty sum }?,¢ga:-E; and models inaction. In the parallel composition 
TL ||{ariwve} Traffic the cars only drive through when the light is green. All three 
processes are displayed in Fig. 1. 


4 Justness and other completeness criteria 


Definition 6 Let N = (S,T, F, R, Mo, £) be a Petri net. An execution path m 
is an alternating sequence Mot; M,t2M2... of markings and transitions of N, 
starting with Mo, and either being infinite or ending with a marking, such that 
Mi [tiza)w Mi+ı for all i < length(). Here length(m) € N U {co} is the number 
of transitions in 7. 

Let L(t) E€ AY be the string ¢(t,)¢(t2).... Here AY denotes the collection 
of finite and infinite sequences of actions. Moreover, trace(7) E€ A% is obtained 
from (r) by dropping all occurrences of 7. 
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red 
drive 
tg 
r O 
ty green 
drive 
yellow 


The traffic light The passing cars The cars passing the traffic light 


Fig. 1. Traffic passing traffic light 


The execution path 7 is said to enable a transition t, notation a[t), if M,[t) 
for some k E€ NA k < length(7) and for all k < j < length() one has t; # t and 
(°t + t) N "tiya =Í. 

Path r is B-just, for some B C A, if L(t) € B for all t € T with qt). 


In the definition of m[t) above one also has M;+ı[t) for all k < j < length(r). 
Hence, a finite execution path enables a transition iff its final marking does so. 

Informally, r|t)} holds iff transition t is enabled in some marking on the path 
a, and after that state no transition of m uses any of the resources needed to 
fire t. Here the read- and preplaces of t count as such resources. The clause 
tj # t moreover counts the transition itself as one of its resources, in the sense 
that a transition is no longer enabled when it occurs. This clause is redundant 
for transitions t with °t 4 Ø. One could interpret this clause as saying that a 
transition t with °t = @ comes with implicit marked private preplace p, and arcs 
(pz, t) as well as (t, p+). 

In [18] I posed that Petri nets or transition systems constitute a good model 
of concurrency only in combination with a completeness criterion: a selection of 
a subset of all execution paths as complete executions, modelling complete runs 
of the represented system. The default completeness criterion, called progress 
in [25], declares an execution path complete iff it either is infinite, or its final 
marking enables no transition. An alternative, called justness in [25], declares an 
execution path complete iff it enables no transition. Justness is a stronger com- 
pleteness criterion than progress, in the sense that it deems fewer execution paths 
complete. The difference is illustrated by the Petri net of Fig. 2(a). There, the 
execution of an infinite sequence of b-transitions, not involving the a-transition, 


as 


Fig. 2. (a) Progress vs. justness; (b) Justness vs. fairness; (c) {b}-progress vs. -progress 
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is complete when assuming progress, but not when assuming justness. In the 
survey paper [25], 20 different completeness criteria are ordered by strength: 
progress, justness, and 18 kinds of fairness. Most of the latter are stronger than 
justness: in Fig. 2(b) the infinite sequence of b-transitions is just but unfair—i.e. 
incomplete according to these notions of fairness. Whereas justness was a new 
idea in the context of transition systems [25], it was used as an unnamed default 
assumption in much work on Petri nets [40]. That justness is better warranted in 
applications than other completeness criteria has been argued in [25,18,24,17]. 

The mentioned completeness criteria from [25] are all stronger than progress, 
in the sense that not all infinite execution paths are deemed complete; on the fi- 
nite execution paths they judge the same. An orthogonal classification is obtained 
by varying the set B C A of actions that may be blocked by the environment. 
This fits the reactive viewpoint, in which a visible action can be regarded as a 
synchronisation between the modelled system and its environment. An environ- 
ment that is not ready to synchronise with an action b € A can be regarded 
as blocking b. Now B-progress is the criterion that deems a path complete iff 
it is either infinite, or its final marking M enables only transitions with labels 
from B. When the environment may block such transitions, it is possible for 
the system to not progress past M. In Fig. 2(c) the execution that performs 
only the r-transition is complete when assuming {b}-progress, but not when 
assuming ()-progress. Definition 6 defines B-justness accordingly, and [25] fur- 
thermore defines 18 different notions of B-fairness, for any choice of B C A. The 
internal action rT ¢ B can never be blocked by the environment. The default 
forms of progress and justness described above correspond with -progress and 
-justness. In [40] blocking and non-blocking transitions are called cold and hot, 
respectively. 

Two subtly different computational interpretations of Petri nets appear in the 
literature [14]: in the individual token interpretation multiple tokens appearing 
in the same place are seen as different resources, whereas in the collective token 
interpretation only the number of tokens in a place is semantically relevant. The 
difference is illustrated in Fig. 3. 
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Fig. 3. Run a®™ is just under the individual token interpretation of Petri nets 


The idea underlying justness is that once a transition t is enabled, eventually 
either t will fire, or one of the resources necessary for firing t will be used by 
some other transition. The execution path 7m in the net of Fig. 3 that fires the 
action a infinitely often, but never the action b, is -just by Def. 6. Namely, 
t? is not enabled by r, as (°t? +T) N °t° Æ Ø. This fits with the individual 
token interpretation, as in this run it is possible to eventually consume each 
token that is initially present, and each token that stems from firing transition 
t°. This way any resource available for firing t? will eventually be used by some 
other transition. 
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When adhering to the collective token interpretation of nets, execution path 
m could be deemed @-unjust, since transition t? can fire when there is at least one 
token in its preplace, and this state of affairs can be seen as a single resource that 
is never taken away. This might be formalised by adapting the definition of z[t), a 
path enabling a transition, namely by changing the condition (*t+t)N* tj = 9 
from Def. 6 into °t+t+°%tj41 C Mj. However, this formalisation doesn’t capture 
that after dropping place s from the net of Fig. 3 there is still an infinite run 
in which b does not occur, namely when regularly firing two as simultaneously. 
This contradicts the conventional wisdom that firing multiple transitions at once 
can always be reduced to firing them in some order. To avoid that type of 
complication, I here stick to the individual token interpretation. Alternatively, 
one could restrict attention to 1-safe nets [40], on which there is no difference 
between the individual and collective token interpretations, or to the larger class 
of structural conflict nets [23,21], on which the conditions (°t + E)N .'tj = 9 
and °t +t + °t;41 C M; are equivalent [21, Section 23.1], so that Def. 6 applies 
equally well to the collective token interpretation. 


5 Feasibility 


A standard requirement on fairness assumptions, or completeness criteria in 
general, is feasibility [2], called machine closure in [33]. It says that any finite 
execution path can be extended into a complete one. The following theorem 
shows that B-justness is feasible indeed. 


Theorem 1 For any B C A, each finite execution path of a finitary Petri net 
can be extended into a B-just path. 


Proof. Without loss of generality I restrict attention to nets without transitions 
t with °t = Ø. Namely, an arbitrary net can be enriched with marked private 
preplaces p; for each such t, and arcs (p, t) and (t, p+). In essence, this enrichment 
preserves the collection of execution path of the net, ordered by the relation “is 
an extension of”, the validity of statements 7[t), and the property of B-justness. 

I present an algorithm extending any given path Mot, Mıtə . ..tk-ı1 Mp into 
a B-just path m = Mot; Mi t2M2.... The extension only uses transitions t; with 
é(t;) ¢ B. As data structure my algorithm employs an N x N-matrix with 
columns named i, for i > k, where each column has a head and a body. The 
head of column k contains M;, and its body lists the places s € Mg, leaving 
empty most slots if there are only finitely many such places. Since the given net 
is finitary, Mẹ has only countable many elements, so that they can be listed in 
the N slots of column k. 

The head of each column i > k with i—1 < length(z) will contain the pair 
(ti, M;) and its body will list the places s € M;, again leaving empty most slots 
if there are only finitely many such places. Once more, finitariness ensures that 
there are enough slots in column iå. 
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An entry in the body of the matrix is either (still) empty, filled in with a 
place, or crossed out. Let f : N — N x N be an enumeration of the entries in 
the body of this matrix. 

At the beginning only column & is filled in; all subsequent columns of the 
matrix are empty. At each step i > k I first cross out all entries s in the body of 
the matrix for which there is no transition t with ¢(t) € B, Mj_,[t) and s € °t. 
In case all entries of the matrix are crossed out, the algorithm terminates, with 
output Mot; Myt2...Mj—1. Otherwise I fill in column 7 as follows and cross out 
some more places occurring in body of the matrix. 

I take n to be the smallest value such that entry f(n) € IN x N is already 
filled in, say with place r, but not yet crossed out. By the previous step of the 
algorithm, M;_1[t;) for some transition t; with ¢(t;) ¢ B and r € °t;. I now 
fill in (ti, Mi) in the head of column i; here M; is the unique marking such 
that Mj_1[t;)M;. Subsequently I cross out all entries in the body of the matrix 
containing a place r’ € °t;. This includes the entry f(n). Finally, I fill in the 
body of column 7 with the places s € Mi. 

In case the algorithm doesn’t terminate, the desired path 7 is the sequence 
m = Moti Mıtə Mə ... that is constructed in the limit. It remains to show that 7 
is B-just. 

Towards a contradiction, suppose z[t) for a transition t with (t) ¢ B. By 
Def. 6 there is an m € NAm < length(m) such that M,,[¢) and (*t+#)N*%tj41 = 0 
for all m < j < length(z). Let h be the smallest such m with m > k. Then there 
is a place r € °t appearing in column h. Here I use that °t 4 Ø. This place was 
not yet crossed out when column h was constructed. Since r ¢ °t;41 and M;+;[t) 
for all h < j < length(z), place r will never be crossed out. It follows that m 
must be infinite. The entry r in column A is enumerated as f(n) for some n € N, 
and is eventually reached by the algorithm and crossed out. In this regard the 
matrix acts as a priority queue. This yields the required contradiction. 


The above proof is a variant of [18, Thm. 1], which itself is a variant of [25, 
Thm. 6.1]. The side condition of finitariness is essential, as the below counterex- 
ample shows. 


Example 2 Let N = (5,T,F,R,Mo,@) be the net with T = {tr |r € R}, 
S = {sr | r € R}, Mo(sr) = 1, Ltr) = T, *tr = {sr} and t, =t = 0 
for each r € R. It contains uncountably many action transitions, each with a 
marked private preplace. As each execution path 7 contains only countably many 
transitions, many transitions remain enabled by r. 


6 The coarsest preorders preserving linear time properties 


A linear time property is a predicate on system runs, and thus also on the 
execution paths of Petri nets. One writes 7 = ọ if the execution path 7 satisfies 
the linear-time property y. As the observable behaviour of an execution path 7 
of a Petri net is deemed to be trace(m), in this context one studies only linear 
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time properties y such that 


trace(r) = tracer) & (mE yen’ Ey). (1) 


For this reason, a linear time property can be defined or characterised as a subset 
of A”. 

Linear time properties can be used to formalise correctness requirements on 
systems. They are deemed to hold for (or be satisfied by) a system iff they 
hold for all its complete runs. Following [20] I write 2 OC iff property 
y holds for all runs of the distributed system Y—and N °° iff it holds 
for all execution paths of the Petri net N—that are complete according to the 
completeness criterion CC. Prior to [20], H was a binary predicate predicate 
between systems—or system representations such as Petri nets—and properties; 
in this setting the default completeness criterion of Section 4 was used. When 
using a completeness criterion B-C, where C is one of the 20 completeness criteria 
classified in [25] and B C A is a modifier of C based on the set B of actions 
that may be blocked by the environment, N 7-9 y is written N EG [20]. 
In this paper I am mostly interested in the values Pr and J of C, standing 
for progress and justness, respectively. To be consistent with previous work on 


temporal logic, N = y is a shorthand for N Hg" g. 


For each completeness criterion B-C, let CG be the coarsest preorder that 
preserves linear time properties when assuming B-C. Moreover, E© is the coars- 
est preorder that preserves linear time properties when assuming completeness 
criterion C in each environment, meaning regardless which set of actions B can 
be blocked. 


Definition 7 Write N CG N’ iff N EZ » N’ && ọ for all linear time 
properties y. Write N C° N’ iff N CG N' for all B C A. 


It is trivial to give a more explicit characterisation of these preorders. To preserve 
the analogy with the failure pairs of CSP [6], instead of sets B C AI will record 
their complements B := A\B. As B = B, such sets carry the same information. 
Since B contains the actions that may be blocked by the environment, meaning 
that we consider environments that in any state may decide which actions from 
B to block, the set BU {r} contains actions that may not be blocked by the 
environment. This means that we only consider environments that in any state 
are willing to synchronise with any action in B. 


Definition 8 For completeness criterion C, B ranging over P(A), and Petri 
net N, let 


F°(N) :={(c, B)| N has a B-C-complete execution path 7 with o=trace(7)} 
FE(N):= { o |N has a B-C-complete execution path r with o=trace(r)}. 


An element (o, X) of ¥°(N) could be called a C-failure pair of N, because it 
indicates that the system represented by N, when executing a path with visible 
content g, may fail to execute additional actions from X, even when all these 
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actions are offered by the environment, in the sense that the environment is 
perpetually willing to partake in those actions. Note that if (o, X) € F°(N) 
and Y C X then (c, Y) € FO(N). 


Proposition 1 N CGN’ if F(N) 2 FE(N'). 
Likewise, N CO N’ iff FO (N) 2 F(N’). 


Proof. Suppose N CG N’ and o ¢ FE (N). Let p be the linear time property 
satisfying m = y iff trace(r) 4 o. Then N H$ y and thus N’ -§ y. Hence 
o ¢ FS(N’). 

Suppose N ZS N’. There there exists a linear time property y such that 
N HS ¢, yet N’ EG y. Let 2’ be a B-C-complete execution path of N’ such 
that 7’ j p, and let o = trace(n’). By (1) m A ¢ for any execution path m (of 
any net) such that trace(7) = o. Hence o € ¥§(N’), yet o ¢ F§(N). It follows 
that F§(N) Z F§(N’). 

The second statement follows as a corollary of the first, using that FO (N) D 
FO(N') iff FE(N) D FẸ(N') for all BC A. 


The preorders EG can be classified as linear time semantics [12], as they are 
characterised through reverse trace inclusions. The preorders E? on the other 


hand capture a minimal degree of branching time. This is because they should 
be ready for different choices of a system’s environment at runtime. 

Note that EV is contained in C§ for each B C A, in the sense that N CO N’ 
implies N C&S N’. There is a priori no reason to assume inclusions between 
preorders CO and CEP when Disa stronger completeness criterion than C. 

To relate the preorders Eg and C© with ones established in the literature, I 
consider the case C = Pr, i.e., taking progress as the completeness criterion C. 
The preorder EF r is characterised as reverse inclusion of complete traces, where 
completeness is w.r.t. the default completeness criterion of Section 4. These 
complete traces include 


— the infinite traces of a system, 

— its divergence traces (stemming from execution paths that end in infinitely 
many T-transitions), and 

— its deadlock traces (stemming from finite execution paths that end in a mark- 
ing enabling no transitions). 


Deadlock and divergence traces are not distinguished. This corresponds with 
what is called divergence sensitive trace semantics (T~) in [12]. The above con- 
cept of complete traces of a process p is the same as in [15], there denoted CT (p). 

The preorder Ey is characterised as reverse inclusion of infinite and partial 
traces, i.e., the traces of all execution paths. This corresponds with what is 
called infinitary trace semantics (T°) in [12]. It is strictly coarser (making more 
identifications) than T>. 

To analyse the preorder E", one has (o, X) € FP” (N) if either 


— ø is an infinite trace of N—the set X plays no role in that case, 
— ø is a divergence trace of N, or 
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— ø is the trace of a finite path of N whose end-marking enables no transition 
t with (t) € X 


The resulting preorder does not occur in [12]—it can be placed strictly between 
divergence sensitive failure semantics (F^) and divergence sensitive trace se- 
mantics (T>). 

The entire family of preorders Eg and C? proposed in this section was 
inspired by its most interesting family member, C7 (i.e., taking justness as the 
completeness criterion C), proposed earlier by Walter Vogler [43, Def. 5.6], also 
on Petri nets with read arcs. Vogler [43] uses the word fair for what I call just. 
I believe the choice of the word “just” is warranted to distinguish the concept 
from the many other kinds of fairness that appear in the literature, which are 
all of a very different nature. Accordingly, Vogler calls the semantics induced 
by CY the fair failure semantics, whereas I call it the just failures semantics. 
My set ¥7(N) is called #F(N) in [43], and Vogler addresses I7 simply as 


F F-inclusion, thereby defining it via the right-hand side of Prop. 1. 


7 Congruence properties 


A preorder E is called a precongruence for an n-ary operator Op, if N; E N? 
for i =1,...,n implies that Op(M,...,Nn) E Op(Nj,...,N/,). In this case the 
operator Op is said to be monotone w.r.t. the preorder C. Being a precongru- 
ence for important operators is known to be a valuable tool in compositional 
verification [41]. 

I write = for the kernel of C, that is, N = N’ iff NC N'A N'CN. Here 
I also imply that = is the kernel of CG. If E is a precongruence for Op, then 
= is a congruence for Op, meaning that N; = N; for i = 1,...,n implies that 
Op(Ni,..., Nn) = ONEN aNg: 

The preorder C Er , characterised as reverse inclusion of infinite and partial 
traces, is well-known to be precongruence for the operators of CCSP. However, 
none of the other preorders Et. nor CP", is a precongruence for parallel com- 
position. 


Example 3 Let N = ©) N= On and T = (©) . The definition 
of || yields TlloN = ©) and T||gN’ = . One 


has N =?" N’, and thus also N =§" N’, for each B C A. Namely ¥?"(N) = 
FPr(N') = {(e, X) | X C A}. Here e denotes the empty string. When fixing B 
such that B 4 A one may choose w ¢ B. Nowe € ¥$"(T||gN’), for this process 
has an infinite execution path that avoids the w-transition, which generates a 
divergence trace £. Yet e ¢ F£"(T||gN). Hence T||gN ZB" T||oN’, and thus 
also T||gN Z?" T||gN’. So neither E4" nor E?" are precongruences for ||9. 


A common solution to the problem of a preorder E not being a precongruence 
for certain operators is to instead consider its congruence closure, defined as the 
largest precongruence contained in C. 
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In [30,15] the congruence closure of E?” is characterised as the so-called 


NDFD preorder Eyprp. Here N Eyprp N’ iff N CP" N’ (characterised in 
the previous section) and moreover the divergence traces of N’ are included in 
those of N. As remarked in [15], here it does not matter whether one requires 
congruence closure merely w.r.t. parallel composition and injective relabelling, 
or w.r.t. all operators of CSP (or CCSP, or anything in between). 

Unlike C?", the preorder EC’ is a precongruence for parallel composition. 
Although this fig been proven already by Vogler [43], [22, in Appendix B] I 
provide a proof that bypasses the auxiliary notion of urgent transitions, and 
provides more details. 


Proposition 2 ([43]) C’ is a precongruence for relabelling and abstraction. 


Proof. This follows since ¥7(f(N)) = {(f(c), X) | (o, f-1(X)) € F7(N)} and 
moreover ¥7(t;(N)) = {(tr(a),X) | (0, X UD) € F7(N)}. Here ae is the 
result of pruning all J-actions from o € A”. 


Trivially, C/ also is a precongruence for X` a; P; and a > ` aiP;. 

The preorder C j can be seen to coincide with E Ce , characterised as reverse 
inclusion of infinite and partial traces, and thus is a precongruence for the op- 
erators of CCSP. Leaving open the case |A\B| = 1, the preorders C4 with 
|A\B| > 2 fail to be precongruences for parallel composition. 


Example 4 Take b,c ¢ B. Let N, N’ and T be as shown in Fig. 4. Then 


© T T © 


a a a 
N N’ T TaN TaN 


Fig. 4. The preorders C% with |A\B| > 2 fail to be precongruences for parallel comp. 


N=} N', as F(N) =.F32(N") ={e, ab, ac}. (Whether € is included depends on 
whether a€ B.) Yet TIAN #4 T|| AN’, as a€ F4A(T AN’), yet a¢ FEITI|AN). 


Moreover, as illustrated below, the preorders C4 with B Æ Ø and |A\B| > 1 fail 
to be precongruences for abstraction. In the next arn I will show that, for 
A infinite and B # A, the a i closure of E$ for parallel composition, 
abstraction and relabelling is C7. 


eer 5 Takebe B 7 c ¢ B. Let N and N’ be as shown in Fig. 5. Then 
N =} N', as F(N) = FEIN’) = {e, bc}. Yet T(N) #4 T(N’), since 
eE FU ry (N ’)), yet ¢ F B(T(o}(N)). 
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PA A 
N N’ E rent ) Toy (N y 


Fig. 5. The preorders C$ with Ø 4 B # A fail to be precongruences for abstraction 


8 Must Testing 


A test is a Petri net, but featuring a special action w ¢ A,, not used elsewhere. 
This action is used to mark success markings: those in which w is enabled. If 
T is a test and N a net then 7,4(7||4N) is also a test. An execution path of 
TA(T || AN) is successful iff it contains a success marking. 


Definition 9 A Petri net N may pass a test T, notation N may T, if t4(7 || AN) 
has a successful execution path. It must pass T, notation N must 7, if each 
complete execution path of TA(T|| AN) is successful. It should pass T, notation 
N should 7, if each finite execution path of r.4(T||4N) can be extended into a 
successful execution path. 

Write N Cust N’ if N must 7 implies N’ must 7 for each test 7. The 
preorders Emay and Eghoula are defined similarly. 


The may- and must-testing preorders stem from De Nicola & Hennessy [9], 
whereas should-testing was added independently in [5] and [36]. 

In the original work on testing [9] the CCS parallel composition T|N was 
used instead of the concealed CCSP parallel composition 7.4(T ||_4.V); moreover, 
only those execution paths consisting solely of internal actions mattered for 
the definitions of passing a test. The present approach is equivalent. First of 
all, restricting attention to execution paths of T|N consisting solely of internal 
actions is equivalent to putting 7|N is the scope of a CCS restriction operator \A 
[34], for that operator drops all transitions of its argument that are not labelled 
T or w. Secondly, CCS features a complementary action ā for each a € A, and 
one has @ = a. For 7 a test, let 7 denote the complementary test in which 
each action a € A is replaced by a; again 7 = 7. It follows directly from the 
definitions of the operators involved that TA(T|| AN) is identical? to (T|N)\A. 
This proves the equivalence of the two approaches. 


3 The standard definition of | on Petri nets [28] is given only up to isomorphism. By 
choosing the names of places and transitions similar to those in the defintion of || 4 
from [22, Appendix A] one can obtain 7.4(T || aN) = (T|N)\A. 
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Unlike may- and should-testing, the concept of must-testing is naturally 
parametrised with a completeness criterion, deciding what counts as a complete 
execution. To make this choice explicit I use the notation E „st, where C could 
be any of the completeness criteria surveyed in [25]. Since processes 74(T || AN) 
(or (T|N)\A) do not feature any actions other than 7 and w, where w is used 
merely to point to the success states, the modifier B C A of a completeness 
criteria B-C has no effect, i.e., any two choices of this modifier are equivalent. 

In the original work of [9] the default completeness criterion progress from 
Section 4 was employed. Interestingly, C2", is a congruence for the operators 
of CCSP that does not preserve all linear time properties. It is strictly coarser 
than Eyprp. In fact, it is the coarsest precongruence for the CCSP parallel 
composition and injective relabelling that preserves those linear time properties 
that express that a system will eventually reach a state in which something 
[good] has happened [15]. (In [15], following [32], but deviating from the standard 
terminology of [1], such properties are called liveness properties.) 

In this paper I investigate the must- tenting preorder when taking justness as 
the underlying completeness criterion, Cy) ust- Ti, 2 below shows that it can 
be characterised as the just failures preorder C J of Section 6. 

First note that Def. 9 can be simplified. When dealing with justness as com- 
pleteness criterion, the word “complete” in Def. 9 is instantiated by “just” or 
“B-just”, for some B C A (not including w). As the result is independent of B, 
one may take B := Ú. Since the labelling of a net has no bearing on its execution 
paths, or on whether such a path is @-just, or successful, one may now drop the 
operator T4 from Def. 9 without affecting the resulting notion of must testing. 


Theorem 2 NC N’ iff NEIN. 


E ist 


Proof. The “if” direction is eatavliehal in [22, Appendix C]. 

For “only if”, suppose N CY... N’. Using Prop. 1, it suffices to show that 
FI(N) D FI(N'). Let (o, X) € F7(N’), where o = aaz... E€ A® is a finite or 
infinite sequence of actions. Let 7 be the test displayed in Fig. 6. The drawing 
is for the case that o = a1a2 ...an finite; in the infinite case, there is no need 
to display a, separately. Now K must 7, for any net K, when using justness 
as completeness criterion, iff each -just execution path of T|| AK is successful, 
which is the case iff (o, X) ¢ ae (In other words, T ||_4/ has an unsuccessful 
()-just execution path iff (o, X) € #7(K). For the meaning of (o, X) € F7(K) is 
that K has an execution path 7 with trace(7) = o such that £g (t) € X = 77[t).) 
Hence N’ must not 7 and thus N must not 7, and thus (o, X) € F7(N). 


Proposition 3 Let A be infinite and B 4 A. Then C7 is the congruence closure 
of Ey for parallel composition, abstraction and injective relabelling. 


Proof. Pick an action w € A\B. Assume N Z7 N’. By applying an injective re- 
labelling, one can assure that w does not occur in N or N’. Let (o, X) € F7(N’), 
yet (o, X) ¢ F7(N), with w ¢ X. Let T be the net of Fig. 6. Then, writing A := 
A\{w}, (o, A) € F7(T||AN"), yet (o, A) ¢ ¥7(T||AN). Moreover, (p,A) ¢ 
F!(T\|AN’) and (p, A) ¢ F7(T||AN) for any p £ o not containing the action 
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for each b, b',... € X 


Fig. 6. Universal test for just must testing 


w. Hence, applying the proof of Prop. 2, using that AUB = A, one has (e, B) € 
F (ra(TIAaN’)), yet (e, B) ¢ F7 (TA(T||AN)). Thus e € Fg(ra(T||4N’)), yet 
e ¢ FglraAlT||aN)). It follows that rA(TI| AN) Z$ TaA(TIl aN’). o 


9 Timed must-testing 


A timed form of must-testing was proposed by Vogler in [43]. Justness says that 
each transition that gets enabled must fire eventually, unless one of its necessary 
resources will be taken away. In Vogler’s framework, each transition t must fire 
within 1 unit of time after it becomes enabled, even though it can fire faster. 
The implicit timer is reset each time t becomes disabled and enabled again, by 
another transition taken a token and returning it to one of the replaces of t. 
Since there is no lower bound on the time that may elapse before a transition 
fires, this view encompasses the same asynchronous behaviour of nets as under 
the assumption of justness. 

Vogler’s work only pertains to safe nets: those with the property that no 
reachable marking allocates multiple tokens to the same place. Here a marking 
is reachable if it occurs in some execution path. Transitions t with °t = @ are 
excluded. Although he only considered finite nets, here I apply his work un- 
changed to finitely branching nets: those in which only finitely many transitions 
are enabled in each reachable marking. 


Definition 10 ([43]) A continuous(ly timed ) instantaneous description (CID) 
of a net N is a pair (M,€) consisting of a marking M of N and a function 
€ mapping the transitions enabled under M to [0,1]; € describes the residual 
activation time of an enabled transition. 

The initial CID is CIDo = (Mo; ĉo) with £o(t) = 1 for all t with Mo[t). 

One writes (M, €)[7)(M’, &’) if one of the following cases applies: 
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(1) n=teET, M{[t)M’, E(t) := €(t) for those transitions t enabled under M —°t 
and €’(t) := 1 for the other transitions enabled under M”. 
(2) n=re€Rt,r<min(é), M' = M and &’ = £ — r. 
A timed execution path 7 is an alternating sequence of CIDs and elements t € T 
or r € R*, defined just like an execution path in Def. 6. Let ¢(7) € RU {oo} be 
the sum of all time steps in a timed execution path m, the duration of r. 
A timed test is a pair (T, D) of a test T and a duration D € RẸ. A net must 
pass a timed test (T, D), notation N must (7,D), if each timed execution 
path m with ¢(7) > D contains a transition labelled w. Write N Ctimed WN’ if 


=must 


N must (7,D) implies N’ must (7, D) for each timed test (7, D). 


Vogler shows that the preorder Ct™e4 is strictly finer than C7. In fact, although 


=must 
7.a.0 =" a.0, one has 7.a.0 4''™°4 @.0, since only the latter process must pass 


must 
the timed test (a.w,2). Here I use that each of the actions 7, a and w may take 
up to 1 unit of time to occur. A statement N Ctmed N’ says that N’ is faster 
than J, in the sense that composed with a test it is guaranteed to reach success 
states in less time than N. 

Here I show that when abstracting from the quantitative dimension of timed 


must-testing, it exactly characterises C7. 


Definition 11 A net must eventually pass a test T if there exists a D € RE 
such that N must (7, D). Write N CY: N’ if when N must eventually pass a 
test T, then so does N’. 


Theorem 3 Let N,N’ be finitely branching safe nets. Then N Cis N’ iff 
NEN. 


A proof can be found in [22, Appendix D]. 


10 Conclusion 


The just failures preorder E7 was introduced by Walter Vogler [43] in 2002. Since 
then it has not received much attention in the literature, and has not been used 
as the underlying semantic principle justifying actual verifications. In my view 
this can be seen as a fault of the subsequent literature, as E7 captures exactly 
what is needed—no more and no less—for the verification of safety and liveness 
properties of realistic systems. 

I substantiate this claim by pointing out that E7 is the coarsest preorder 
preserving safety and liveness properties when assuming justness, that is a con- 
gruence for basic process algebra operators, such as the partially synchronous 
parallel composition, abstraction from internal actions, and renaming. As argued 
in [25,18,24,17], justness is better motivated and more suitable for applications 
than competing completeness criteria, such as progress or the many notions of 
fairness surveyed in [24]. 

Moreover, I adapt the well-known must-testing preorder of De Nicola & Hen- 
nessy [9], by using justness as the underlying completeness criterion, instead of 
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the traditional choice of progress. By showing that the resulting must-testing 
preorder C/ asų coincides with C7 I strengthen the case that this is a natural 
and fundamental preorder. 

This conclusion is further strengthened by my result that it also coincides 
with a qualitative version C°Y-., of the timed must-testing preorder Ct™4 of 


=must =must 
Vogler [43]. (Although Ctimed and E7 stem from the same paper [43], this con- 
nection was not made there.) 

All this was shown in the setting of Petri nets extended with read arcs, and 
therefore also applies to the settings of standard process algebras such as CCS, 
CSP or ACP. Since I cover read arcs, it also applies to process algebras enriched 
with signalling, an operator that extends the expressiveness of standard process 
algebras and is needed to accurately model mutual exclusion. I leave it for future 
work to explore these matters for probabilistic models of concurrency, or other 
useful extensions. 


ue 
we 
e 
m Pr eee 
=reward | 
Pr J E ev. 
=must N =may should =must = = must 

i \ P 
=must = may 


Fig. 7. A spectrum of testing preorders and bisimilarities preserving liveness properties 


Fig. 7 situates C ust w.t-t. the some other semantic preorders from the literature. 
The lines indicate inclusions. Here Ein Emay and Eshoula are the classical 
must-, may- and should-testing preorders from [9] and [5,36]—see Def. 9—and 
CPr q is the reward-testing preorder introduced by me in [19]. The failures- 
divergences preorder of CSP [6,42], defined in a similar way as EZ ust, coincides 
with CF, [9,19]. & denotes the classical notion of strong bisimilarity [34], and 
ep, sp are essentially the only other preorders (in fact equivalences) that 
preserve linear time properties when assuming justness: the enabling preserving 
bisimilarity of [26] and the structure preserving bisimilarity of [16]. 

The inclusions follow directly from the definitions—see refs. —Pr 


š s r g| =must 9. 
—and counterexamples against further inclusions appear below. i 


=may 


p 
= [a a] [e] AR. E 


© Sane =e f f # 7 a Fz 
shld. T shld. 
=may [T Zmay a| [7] 2 _Pr 


—rew. 
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Abstract. Given a textual representation of a finite-state concurrent 
program P, one can construct the corresponding Kripke structure M. 
However, the size of M can be exponentially larger than the textual size 
of P. This state explosion can make model checking properties of P via 
M expensive or even infeasible. The action of asymmetry group G on M 
can be used to produce a smaller Kripke structure M. Various authors 
have exploited the direct correspondence between M and M to perform 
model checking. When the structure M does not satisfy a formula, one 
can look for a substructure that will satisfy the formula. We call this 
substructure-repair: identifying a substructure M of M that satisfies a 
given temporal logic formula. 

In this paper we extend previous work by showing that repairs of M 
lift to repairs of M. In other words, we can repair a computer program 
P, which exhibits a high degree of symmetry, by repairing the smaller 
Kripke structure M and then symmetrizing the corresponding program. 
To do this we arrange the substructures of M and M into substructure 
lattices that are ordered by substructure inclusion. We show that the 
substructures of M preserved by G form a (sub)lattice that maps to the 
substructure lattice of M. When restricted to the lattice of substructures 
of M that are “maximal” with the action of G on M, the above map is 
a lattice isomorphism. 

These results enable us to repair M and then to lift the repair to M. In 
cases where a program has a high degree of symmetry, such as in many 
concurrent programs, we can repair the program by repairing the small 
Kripke structure M. 


Keywords: Model checking - symmetry reduction - model repair 


1 Introduction 


To model check a program P, one first constructs a Kripke structure M. In 
general, the Kripke structure M is generated by all potential executions of P. 
The model checking problem for a program P w.r.t. a temporal logic formula 
y is to verify that the Kripke structure M generated by the execution of P 
satisfies y [8]. A major obstacle to model checking a concurrent program via its 
Kripke structure is state explosion: in general, the size of M is exponential in 
the number of processes n. As studied by Emerson and Sistla [18] and extended 
by others [10,14,21], the use of symmetry reduction to ameliorate state-explosion 
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can yield a significant reduction in the complexity of model checking M — y 
when both M and y have a high degree of symmetry in the process index set 
{1,...,n}. 

For a Kripke structure M, we capture the symmetry of M using the group 
G of automorphisms of both M and y. The quotient structure M = M/G of 
M by G often has significantly fewer states than M. Since M can be computed 
directly from the original P, we avoid the expensive computation of the large 
structure M. Model checking M | is linear in the size of M [8], so this 
provides significant savings if M is small, i.e., if G is large. 

If M Æ f, then we can search for a model M related to M such that NV E= f. 
In this paper we focus on substructure-repair: we require NV to be a substructure 
of M. The key idea behind substructure-repair is to remove execution paths 
which violate required properties, e.g., paths that lead to a violation of mutual 
exclusion. We give examples in Section 6 of different properties and substruc- 
ture repairs with respect to these properties. Substructure-repairs can always 
repair M w.r.t. all universal properties (those expressible using universal path 
quantification [26]).* 


1.1 Our Contributions 


We present a theory of substructures of Kripke structures. Using this theory 
we establish an evaluation preserving correspondence between certain substruc- 
tures of the original Kripke structure M and the substructures of the quotient 
structure M (this is Theorem 2). This correspondence is a functorial form of 
bisimilarity between a certain lattice of substructures of M and the lattice of 
substructures of M. Hence for a given formula y, substructure-repairs of M 
with respect to y can be lifted to substructure-repairs of M with respect to y 
(this is Theorem 3). This correspondence of Kripke substructures lattices is of 
independent mathematical interest as an example of a monotone Galois connec- 
tion. 

We build on our theory to extend group theoretic model checking to con- 
current program repair: given a concurrent program P that may not satisfy y, 
modify P to produce a program that does satisfy y. Given P, y, and a group 
G that acts on both P and y, our method directly computes the quotient M/G 
(following [18]), then repairs M/G, using the algorithm of [2], and finally, ex- 
tracts a correct program from the repaired structure. 

The rest of the paper proceeds as follows: Section 3 contains the formal defi- 
nition of Kripke structures and substructures. In Section 4, after briefly recalling 
group actions, we show how one can use a group to obtain a quotient M of M 
and the repair correspondence between M and M. We extend our results to the 
repair of concurrent programs in Section 5. Section 6 presents some examples. 
In particular, we show that a structure M might have a nonempty repair even 


1 Existential path properties could be dealt with by first adding sufficient transitions 
to M so that the augmented structure now contains the desired paths. One can then 
perform substructure-repair so that universal path properties are also satisfied. 
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if the quotient M does not. In Section 7 we examine what classes of Kripke 
structures and what types of formulae guarantee the existence of quotient based 
repairs. 


2 Related Work 


Our work combines model/program repair [5,25,29,32] and symmetry reductions 
via group actions [7, 10,16, 18-22]. Le Goues et al. [25] provides a modern in- 
troduction to program repair; although their results generally relate to program 
repair based on the textual representation of the program. Our approach repairs 
a Kripke structure w.r.t. a computation tree logic (CTL) formula and uses that 
to repair the corresponding program. 


2.1 Computation Tree Logic Repair 


Buccafuri et. al. [5] posed the repair problem for CTL and solved it using abduc- 
tive reasoning to generate repair suggestions that are verified by model checking. 
Jobstmann et. al. [29] and Staber et. al. [32] used game-based repair methods 
for programs and circuits, although their method is complete for invariants only. 

Chatzieleftheriou et. al. [6] repair abstract structures, using Kripke modal 
transition systems and 3-valued CTL semantics. Von Essen and Jobstmann [23] 
present a game-based repair method which attempts to keep the repaired pro- 
gram close to the original faulty program, by also specifying a set of traces that 
the repair must leave intact. 

The work of Attie et al. [2] establishes that repair by abstraction can avoid 
state explosion. However, repairs of abstracted structures do not always lift to 
repairs of the original structure. Within networks, Namjoshi and Trefler [30] 
have shown that a combination of abstraction and group actions can be used to 
produce smaller structures. 


2.2 Group theoretic model checking 


Group theoretic approaches to symmetry-reduction in model checking began in 
1995 with work by Emerson and a collection of coauthors [7, 10, 14, 16, 18-22] 
compute the quotient M/G and model check M/G, instead of the original (much 
larger) structure M. The group theoretic approach to model checking works 
because M and M/G are bisimilar with respect to certain formulae. 

A requirement for group theoretic model checking or repair is calculating the 
group of symmetries in question. We will see that larger groups of symmetries 
result in smaller quotient models. Clarke et al. [7] showed that calculating the 
orbit of a group action, a part of model checking via symmetry, is at least as 
difficult as graph isomorphism. However, in many practical cases concurrent 
programs have a natural symmetry by swapping certain processes. Hence many 
concurrent programs have a small known symmetry group in advance. Donaldson 
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and Miller [11] showed that there is a process to build a larger symmetry group 
for a program from a smaller symmetry group. 

A related approach is the use of structural methods to express symmetric de- 
signs, e.g., parameterized systems, where processes are all instances of a common 
template (possibly with a distinguished controller process) [1,9,24], and rings 
of processes, where all communication is between a process and its neighbors in 
the ring [9, 15,17]. 


3 Temporal Logic and Kripke Structures 


Computation tree logic (CTL) is a propositional branching-time temporal logic 
used to model the possible computational branches taken by a system [12, 13]. 
The semantics of CTL are defined with respect to a Kripke structure. 


Definition 1 (Kripke structure). A Kripke structure M is a tuple 
(S,So,T,L, AP) where S is a finite set of states, So C S is a set of initial 
states, T C (S x S) is a transition relation, AP is a finite set of atomic propo- 
sitions, and L : S — 24? is a labeling function that associates each state s € S 
with a subset of atomic propositions, namely those that hold in state s. 


We require that M be total: Vs € S, Jt € S : (s,t) € T, and that S Æ Ø implies 
So Æ @. Also, different states have different labels: s 4 t => L(s) # L(t). We 
admit the empty Kripke structure, i.e., S = Ø, due to mathematical necessity. 

When referring to the constituents of M = (S, So, T, L, AP), we write Ms, 
Ms, Mr, Mz, and M 4p respectively. State t is a successor of state s in M 
iff (s,t) € T. We will write s > t in this case. A path m in M is a (finite or 
infinite) sequence of states, 7 = so, $1,..., such that Vi > 0: (si, Si+1) E T. 

To model the behavior of a concurrent program P = P,,...,P,, we define 
a special type of Kripke structure: a multiprocess Kripke structure is one in 
which the set of atomic propositions AP is partitioned into disjoint subsets 
AP,,..., APn, states have the form (s1,..., Sn) and transitions T are partitioned 
into disjoint subsets 7),...,7,. The set of atomic propositions “owned” by P; 
is denoted by AP;: they can only be changed by P;, but can be read by other 
processes. The local state of P; is written as s;, and is labelled by the subset of 
AP; whose propositions are true in s;. Then, the truth value of p € AP; in global 


state (s1,..., Sn) is given by its value in local state s;. T; gives the transitions 
of process P;, which are denoted as s&t. For state s = (s1,...,8,), define 
shi = si, and sli = (s1,...,8j-1, $i41,---,5n). We then require sļi = tļi for 


every transition s—>t, i.e., transitions by P; do not change atomic propositions 
of other processes. 

A CTL formula y is evaluated (i.e., is true or false) in a state s of a Kripke 
structure M [13]. We write M, s H y when s is true in state s of structure M, 
and write M } y to abbreviate Yso € Sp : M, so E y, i.e., y holds in all initial 
states of M. The formal definition of =, proceeds by induction on the structure 
of CTL formulae [12,13] and is omitted for space reasons. 
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Example 1 (Example Box) The ” Box” Kripke struc- 
ture in Figure 1 has 4 states and transitions as 
shown. Its set of atomic propositions is empty, and 
so all states have empty labels, as indicated by 
”()”. There is a natural group acting on this Kripke 
structure, i.e., the group generated by the action 
which exchanges the state s1 with s2, and the state 
t1 with t2. 


Fig.1. The Box Kripke 


The theory of substructures presented below is 
structure. 


motivated by the concept of a substructure-repair 
of a structure M with respect to a formula f, i.e., 
a substructure M of M such that N E f. 


Definition 2 (Substructure, <). Given Kripke structures M and N, we say 
that N is a substructure of M, denoted N < M, iff the following all hold: 


1. Ns CMs. 

2. Nso = Ms, AMi- 

3. Nr C Mr. 

4. Nap = Map. 

5. Nr = MS" (where | denotes domain restriction). 

6. For alls E€ Ng there is at E€ Ng such that (s,t) E€ Nr, i.e., N is total. 


For mathematical necessity in what follows, we allow for the ‘empty’ sub- 
structure. We do not, however, accept an empty substructure as a valid repair. 
It is immediate that < is a reflexive partial order. Lemmas 1 and 2 below imply 
that the substructures of M can be regarded as a lattice, with join and meet 
operations as follows. 


Lemma 1. Let M be a Kripke structure and suppose that N and N’ are sub- 
structures of M. Then 


N VN' = (Ng UNS, Nso UNS? Nr UNF, MLNS UNG), Map) 
is the smallest substructure of M containing both N and N”. 


Given a nonempty finite set X = {X0, X1, ..., Xn} of substructures of M, 
we define the structure V X = Xo V Xi V-V Xn. 


Lemma 2. Let M be a Kripke structure and suppose that N and N’ are sub- 
structures of M. Then there exists a largest substructure of M contained in both 


N and N’. 


Definition 3 (Join, Meet of Substructures). Let N and N” be two substruc- 
tures of M. The join of N and N', written NV N", is the smallest substructure 
of M containing both N and N'. The meet of N and N', written N AN", is 
the largest substructure of M contained in both N and N”. 
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The join MVN” has a simple description as given in Lemma 1. However, the 
meet M A N”, while well-defined, does not have such a simple description. It is 
possible that for two substructures M and MN” of a Kripke structure M, there 
are no non-empty substructures contained in both M and N”. Hence the largest 
substructure contained in both M and M” could be empty. 

We can now define a lattice of substructures Am for a given structure M. 


Definition 4 (Lattice of Substructures). Given a Kripke structure M the 
lattice of substructures of M is Am = ({N:N is a substructure of M},<) 
where the meet and join in Am are as given in Definition 3. 


4 Quotient Structures 


We capture the symmetry in a Kripke structure M with the notion of state- 
mapping: a graph isomorphism on M which preserves initial states. State- 
mappings also preserve paths since they are isomorphisms. We ignore for now 
the labelling function Mz, i.e., which atomic propositions hold in which states, 
and concern ourselves only with the graph structure of M. Since the atomic 
proposition labelling obviously affects the truth of CTL formulae in states of 
M, it must be accounted for. We do this below using the notion of G-invariant 
CTL formula. Thus, we decompose the symmetry characerization of M into two 
separate concerns: the graph structure of M, handled using state-mapping, and 
the atomic proposition labelling of states of M, handled using G-invariant CTL 
formulae. 

A type of symmetry of particular interest is the symmetry of a multiprocess 
Kripke structure w.r.t. the process indices 1,...,n of the corresponding concur- 
rent program P; ||--- || Pa, as we illustrate below. Our theory, however, applies 
to Kripke structures in general. 


4.1 Groups Acting on Kripke Structures 


Definition 5. A state-mapping of M is a graph isomorphism of the state-space 
of M such that its restriction to the initial states is also an isomorphism, i.e., 
takes initial states to initial states. Formally, for a Kripke structure M, a state- 
mapping of M is a bijection f : Ms > Ms such that: 


-= f(Ms,) = Mss; 
— For states s,t E€ Mg we have that (s,t) E€ Mr <=> (f(s), fŒ) € Mr. 


The set of all state-mappings of M forms a group. This means that the com- 
position of any two state-mappings is another state-mapping and for any state- 
mapping f on M there is another state-mapping g on M such that f(g(s)) = s 
and g(f(s)) = s. We refer to the manuscripts by Issacs [27,28], and Serre [31] 
for a more in-depth introduction to group theory. 


Definition 6 (G-closed). For a group G of state-mappings of a Kripke struc- 
ture M, a substructure N of M is called G-closed if G is a group of state- 
mappings of N, i.e., for every g € G and s E€ Ng we have g(s) € Ns. 


A 
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Lemma 3. Let M be a Kripke structure and let G be a group of state mappings 
of M. Let N, N” be two G-closed substructures of M. Then NV .N’ and NAN" 
are both G-closed. 


By Lemma 3, we see that the G-closed substructures of M form a sublattice 
of Am. This is a proper sublattice in that the meet and join operations are the 
same as those of Am. 


Definition 7 (Lattice of G-closed substructures). Given a Kripke struc- 
ture M and a group G of state mappings of M, the poset of G-closed substruc- 
tures of M forms a lattice. We call this the lattice of G-closed substructures 
of M and write it as Am G. 


Example 1 (Example Box). Let M be Example Box, i.e., the Kripke structure 
presented in Figure 1. Let g be the map that simultaneously switches sy and 
Sg, and switches tı and t2, i.e., g(s1) = S2, g(s2) = $1, g(t1) = t2, g(t2) = tı. 
Let G be the group consisting of g and the identity map on Mg. We note that 
G is not the entire group of state-mappings of M. The structure M has 10 G- 
closed substructures, including the empty structure. We present some of these 
structures in Figure 2. 


© 5 5 
0 0 0 


Fig. 2. Four G-closed substructures of Example Box. Where G is the group generated 
by the simultaneous swapping of indexes of both the s; and the ti. Note that each 
of the structures is a substructure of the substructure to the right. Looking ahead to 
Definition 10, only the entire structure (d) is G-maximal. 


4.2 Constructing the Quotient structure 


Given a group G of state-mappings of a structure M, we want to construct 
a quotient structure M/G. However, as noted, state-mappings do not contain 
any information about Mz. To remedy this situation, we need a function that 
assigns a representative to each orbit of G, where for s € Mg the orbit of s is 
{g9(s) : g E€ G}. 


Definition 8 (Representative map). Let M be a Kripke structure and sup- 
pose that G is a group of state-mappings of M. A representative map of M 
with respect to G is a function vg : Ms > Ms satisfying the following: 
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— For all s,s’ € Mg, if there is some g E€ G such that g(s) = s' then Vg(s) = 
Vals’). (respects orbits) 

— For all s,s’ € Msg, if there is no g E€ G such that g(s) = s” then Vg(s) F 
Vals’). (separates orbits) 

— For all s E€ Mg, we have that Ve(Va(s)) = Vals), i.e., each orbit has a 
stable representative. (idempotent) 


We define a(S) = {Va(s) | s € S}. 


Definition 9 (Quotient structure). Given a Kripke structure M, a group G 
of state-mappings of M, and a representative map g of M with respect to G, 
we define the quotient structure M = M/(G, Va) of M with respect to G and 
Va as follows, where we write 5, t for a(s), Valt), respectively: 


— Mg = Va(Ms), i.e., the states of M are the image under Vg of the states 


— Mr consists of all (5,t) such that there exist s € Mg with Jg(s) = 3 and 
t € Ms with a(t) =t such that (s,t) € Mr. 

— Ms, = Ja(Msg,), ie., the initial states of M are the image under Yq of 
the initial states of M. 

— M_,(3) = ML(3), ie., the label of a state in M is the same as its label in 


z 


— Map = Map, ie., M has the same atomic propositions as M. 


Thus the states of a quotient structure correspond exactly to the orbits of states 
of the original structure under the group of state mappings. For transitions, we 
have a slightly more subtle correspondence. Consider the following examples: 


Example 2. In Figure 3 we demonstrate the correspondence between Kripke 
structures, G-closed substructures, and their quotients. In the figure, we present 
a multiprocess Kripke structure M corresponding to two concurrent processes 
P, (atomic propositions and transitions in blue) and P, (atomic propositions 
and transitions in red). The group G of state mappings swaps the indexes of the 
processes. This structure has a G-closed substructure M constructed by remoy- 
ing the ‘center’ state ug. Define vg to take the ‘left-most’ state in the orbit, i.e., 
altı) = to, valts) = t2, valuo) = Ug, Valte) = t3, valta) = t4. The quo- 
tient structure M / (G, Vg) appears in the top right. While the quotient structure 
is isomorphic to a substructure of M, this is not always the case. (See Figure 6 
in Example 5 for an example where the quotient gains a new transition.) The 
quotient structure N /(G, a|s) appears in the bottom right. 


Example 3 (Example Box). Let M and G be as in Example 1. Let Vg be defined 
by valsı) = Ve(sz) = sı and Jg(t1) = Va(t2) = tı. Then the quotient struc- 
ture M/(G, Vg) has exactly 2 states, sı and tı with transitions (s1, t1), (tz, S1). 
Also, the G-closed substructure substructures of M given in Figure 2 (a), (b), 
and (c) also map to this quotient structure via M —> M/(G, Va). Note that the 
transition (t1,S1) is present in the quotient, but is not present, for example, in 
the structure of Figure 2 (b). However, the “corresponding” transition (t2,s1) 
is present in Figure 2 (b). 
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Fig. 3. As discussed in Example 2, we have a Kripke structure in the top left and a 
G-closed substructure in the bottom left. On the right, we have the quotients of the 
whole structure (top) and the G-closed substructure (bottom). 


In the sequel, we fix a Kripke structure M, a group G of state mappings of 
M, and a representative map vg of M with respect to G. 

Example 3 shows that many G-closed substructures can have the same 
quotient structure, and also that, in general, a transition in the quotient may 
not itself be present in the original structure. We show, however, in Theorem 1 
below that a “corresponding” transition is guaranteed to be present in the orig- 
inal structure. These corresponding transitions can be joined into a path which 
corresponds state-by-state to the path in the quotient. This “path correspon- 
dence” is what allows for model checking of M via model checking of M and is 
formalized in the following theorem from Emerson and Sistla [18, 3.1]. 


Theorem 1 (Path Correspondence Theorem). There is a bidirectional cor- 
respondence between paths of M and paths of M. Formally we have the following: 


1. If £ = 80,81, 82,... is a path in M, then T = 30,51, 59,... is a path in M 
where 3; = gls). 

2. If ® = 80, 81, 52,... is a path in M, then for every state sh E€ Mg such that 
Valsh) = 5o there is a path sh, 84,55,... in M such that valsi) = si. 


We now extend the path correspondence between M and M to a correspon- 
dence between G-closed substructures of M and substructures of M. Define 
UV: Ama > Az, by VN) =N/(G, Va), so that Y maps a G-closed substruc- 
ture M of M to a corresponding substructure of M. We call Y the quotient map. 
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W establishes a join-semilattice homomorphism between Am, and Az as we 
now show in the following series of lemmas. 


Lemma 4. For every substructure N of M, there is a G-closed substructure N 


of M such that N/(G, ða) =N. 


Lemma 4 establishes that Y is surjective. We note that every substructure 
N of M defines a set of states of M, i.e., the orbits of the states in M. However, 
in general, the transitions of M do not uniquely define transitions in M. 

The next lemma demonstrates that Ų is a homomorphism of the join- 
semilattices Ajy,q and Ay: We note that it is not a homomorphism of the 
lattices themselves because the meet of two G-closed structures mapping might 
be empty. 


Lemma 5 (Quotient map respects join). Let N,N’ € Aug. Then 
WIN VN") = WN) VEN’). 


As seen in Example 3, it is possible for multiple G-closed substructures of M 
to map to the same substructure of the quotient structure M. To obtain a single 
well-defined preimage for each substructure of the quotient structure, we intro- 
duce the concept of G-maximal. Recall that the join of G-closed substructures 
of M is G-closed. 


Definition 10 (G-maximal). A G-closed substructure N of M is G-mazximal 
if 
N= Vo w. 
N'EAM,G 
N'/(G,0a)SN/(Gve) 


That is, M is the join of all G-closed substructures of M whose quotient is 
a substructure of the quotient of M itself, namely of N/(G, Va). A G-closed 
substructure M fails to be G-maximal exactly when there are states s,t € M, 
such that (s,t) € V/(G, Vg), but (s,t) is not in M. 

Among all of the G-closed substructures in Figure 2 only the entire structure 
itself is G-maximal 


Lemma 6. Let M', M” be two G-mazimal substructures of M. Then M’ V M” 
is G-mazimal and M’! \ M” is G-maximal. 


Lemma 6 allows us to make the following definition. 


Definition 11 (G-maximal lattice of substructures). The set of G- 
maximal substructures of M forms a sublattice AM,G—max of Am. 


While in general the quotient map from Am,G to Azz is always surjective, 
when restricted to Ay4,G—max, the map is injective and is a lattice isomorphism. 


A 
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Theorem 2 (G-Maximal Lattice Correspondence). The restriction of the 
quotient map Y to AM,G-mas is an isomorphism from AmM,G-mas to Azz, i-e., 
between the lattice of G-maximal substructures of M and the lattice of structures 
of M. 

At this point, we would like to remind the reader of the various lattices that 
we have defined and how they relate to each other: 


G-maximal substructures C G-closed substructures C All substructures . 
SF S a FOO aM 


AM,G—max Am,G Am 


4.3 Semantic Relationships Between Structures and Quotient 
Structures 


Definition 12. Let G be a group of state mappings of M. A CTL formula y 
is G-invariant over M, if for every state s, every g € G, for all maximal 
propositional subformulae y' of p, we have 


M,s = yg! = M, g(s) Zz g. 


Lemma 7. If y is G-invariant, then the valuation of p in M does not depend 
on the choice of representative map ÙG. 


This allows us to connect semantic statements about M with semantic state- 
ments about M for formulae that are G-invariant. The path correspondence 
theorem establishes a bisimulation between M and M, in which state s of M 
and state 5 of M are bisimilar iff s is in the orbit of 3, i.e., s = g(5) for some 
g € G. We call such a bisimulation a G-bisimulation. Hence, G-bisimilar states 
satisfy the same propositional subformulae of any G-invariant CTL formula g. 
A straightforward induction over path length then shows that s and 5 satisfy 
the same G-invariant CTL formulae: 


Corollary 1. ME y if M = ọ for all G invariant CTL formulae vy. 
Lemma 8. Lets € Ms, t € Mg. Let y be a G-invariant CTL formula. If 


t = als), then M,s = yp 4> M,t E ọ. 


Section 3 developed the theory of substructures of a Kripke structure. This 
development was motivated by the following definition and theorem. 


Definition 13 (Substructure-Repair). Given a structure M and a CTL for- 
mula p, we call a nonempty substructure N of M a substructure-repair of 
M with respect to p if N = y. 

Ifa CTL formula y is G-invariant, then the lattice correspondence will respect 


the valuation of ọ. 


Theorem 3 (Repair Correspondence). Let p be a G-invariant CTL for- 
mula. Let N be a non-empty G-closed substructure of M, s € Ns, and 
N=N/(G, ða). Then N,s = yo 4 N, vals) E y. 
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5 Repair of Concurrent Programs 


A concurrent program P = P, ||... || P, consists of n sequential processes 
executing in parallel. Each process P; is a set of i-actions (s;,B,t;), where s;,t; 
are local states of P; and B is a guard (a predicate on the global state). We say 
action when we ignore the process id. We assume a given set So of initial states. 
The program P; ||---|| Pa generates a transition s = t iff P; contains an action 
(s;,B,t;) such that sli = s;, ti = ti, and s(B) = true, where s(B) is the value 
of guard B in global state s. The transition updates only atomic propositions 
in AP;, and so sļi = tli. The state-transition graph of P is the closure of this 
“transition generation” operation, starting in the initial state set So. 

Given a concurrent program P and a CTL formula y, we wish to modify P 
to produce a repaired program P” such that M’ H y, where M’ is the state- 
transition graph of P”. The modification is ”subtractive” , that is, it only removes 
behaviors and does not add them. We assume henceforth that when M is a 
multiprocess Kripke structure over process indices 1,...,n, that the symmetry 
group G is a subgroup of Sn, the group of permutations on {1,...,n}. 


5.1 Repair of Symmetry-reduced Structures 


We first generate the symmetry-reduced state transition graph M of P. We use 
the algorithm of Emerson and Sistla [18, Figure 1]. We then apply the model 
repair algorithm of Attie et. al. [2] to M, and the specification y of P. This algo- 
rithm is sound and complete, so that if M has some substructure that satisfies y, 
then the algorithm will return such a substructure M. If not, the algorithm will 
report that no repair exists. As noted, applying this algorithm to the symmetry- 
reduced state transition graph is only complete with respect to the symmetric 
repairs, see Example 6.3. 


5.2 Extraction of Concurrent Programs from Symmetry-reduced 
Structures 


We want to extract a repaired concurrent program from N using the projection 


method of [4,13]: each transition s 5t is turned into an i-action action(s 4 j2 


(sli, B, tti), with guard B = {s} where {s} + “(Agenz(s) @) A Agen (s) 7@)” 
and Q ranges over AP. When process 7 is in local state s;, guard B checks that 
the current global state is actually s. 

A key problem is that the definition of the quotient M allows transitions in 
which the atomic propositions of more than one process are changed, since any 
representative of an orbit can be chosen. Hence the repaired M < M can also 
contain such transitions, e.g., the transition from S6 to S1 in Figure 6 below, 
which we write as [C1 T2] + [T1 N2]. Note that the propositions of both processes 
1 and 2 are changed. To generate i-actions, such transitions must be converted 
so that only the atomic propositions of a single process are modified. 

Define a transition from s to t to be regular iff it modifies atomic propositions 
in at most one AP;, so that s|i = tli for some process index i, and write the 


A 
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transition as s > t. Also define a transition from s to t to be irregular iff it is not 
regular, i.e., it modifies atomic propositions in more than one AP;, and write 
the transition as s > t, with no process index labelling the arrow. 

For each irregular transition s > t € Nr, there is g' € G such that s > g' (t) 
is regular. Such an element g’ always exists. Let 5 > t € Mr for arbitrary 
Mr. By Definition 9, there exists s > t € Mr such that 5 = Vg¢(s) and 
t = a(t). Hence there is some g € G such that g(s) = 3 since s and 3 are in 
the same orbit. Since g is a symmetry of M, we have g(s) > g(t) € Mr. Hence 
5 — g(t) € Mr. Now t = h(t) for some h € G since t and ¢ are in the same 
orbit. Hence 5 — g(h(t)) € Mr, and so the needed g’ is the product of g and 
h. For example, by applying the permutation of process indices 1, 2 to [T, Nol, 
from the irregular transition [C1 T2] > [T; Nə] we extract the regular transition 
[C1 To] > [M1 Tə]. 

Define Reg;(N r) to be the set of regular transitions s5 g(t) such that 
g € G and s > t € Nr. Since g can be the identity element of G, it fol- 
lows that this account for both regular and irregular transitions in Mr. Define 
Act;(Nr) = {action(s >t) | s-+t € Reg;(Nr)}, be the set of actions obtained 
from Reg;(Nr). 

Define the action of g € G on syntactic elements of P; as follows. For local 
state si: g(si) = S(;). For atomic proposition Q;: g(Qi) = Qg). For guard B, by 
induction: g(—B) = 7g(B) and g(B1 A B2) = g(B1) Ag(B2), with the base case 
given by g(Q;) above. For i-action (s;, B, ti): g(si,B,ti) = (g(s:), 9(B), g(t)). 
That is, we apply g to all process indices in the syntactic element. Now define 
Act (Nr), the symmetrization of Act;(Nr), by Act? (Nr) = {g(a) |g € G,a € 
Act;(Nr), g(j) = i}. The repaired concurrent program arises from process-wise 
repair P“ = PY \|--- || P, where P? consists of the i-actions in Act] (Nr). 


Theorem 4. Let P? be the concurrent program extracted from N as above, 


let N? be the state transition graph generated by the execution of P, and. let 
NP = NP /(G, va). Then N? is G-closed and NP = N. 


Corollary 2. Let PÅ be the repaired program and y the CTL specification that 
was used to repair M, resulting in N. Then co Ep. 


6 Examples 


6.1 Two process Mutual Exclusion 


We consider mutual exclusion for two processes P}, P2. Each P; has three local 
states: N; (neutral, computing locally), T; (trying, has requested critical section 
entry), and C; (in the critical region). We start with the ”trivial” program P 
shown in Figure 4 in which all action guards are ”true” and apply the program 
repair algorithm of Section 5 to repair this program w.r.t. the specification y = 
AG~(C1 AC2)AAG((Ti V Tz) = AF (C1 V C2)). The first conjunct specifies mutual 
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exclusion of the critical sections (safety) and the second specifies progress: if some 
process requests the critical section then some process will obtain it (liveness). 
Figure 5 (left side) shows the Kripke structure M generated by execution of 
P. Transitions of P,, Pz are shown in blue, red, respectively. Clearly, M W y. 
Actually both conjuncts are violated: AG=(C A C2) due to the reachability of 
state S8 from the initial state, and AG((T; V T2) = AF(C1 V C2)) due to the self 
loop on state S4. 

M has exactly two symmetries: the identity map, and the map that swaps 
process indices 1 and 2. Our program repair algorithm does not generate M 
since M may be large, and we show M only for exposition. We generate M = 
M/(G, ùa) directly from P, and we show M in Figure 5 (right side). M has 
a transition (shown in black) from state S6 to S1, which is the quotient of the 
transition from S6 to S2 in M, i.e., Vg(S6) = S6 and Jg(S2) = S1 so the edge 
(Jg(S6), Va(S2)) occurs in M. 

Figure 6 shows the repair NV of the reduced structure M, and the resultant 
lifting of the repair to M. The deleted transitions and states are shown dashed. 


Figure 7 shows the repaired concurrent program PČ that is extracted from N. 
Note that ® means disjunction [3]. By Corollary 2, Po Eg. 


true true 


Fig. 4. Initial incorrect mutual exclusion program from Section 6.1. 


6.2 n-Process Mutual Exclusion 


We now consider mutual exclusion for n-processes. To reduce clutter, we remove 
the trying Ti state, and we give a concrete example for 3 processes — the 
generalization to n processes is straightforward. Each process can move directly 
from N to C with the appropriate indexes, i.e., the guards on all actions are 
initially ”true”, just like in Figure 4. 

We consider the mutual exclusion specification /\;,, AG>(C;C;). The group 
of state mappings G for both structure and specification is the full permutation 
group on the indices {1,..., N}. For N-processes, we have that the quotient 
model by the full group of symmetries has N +1 states, while the original model 
would have 2” states. Figure 8 shows the repair of the quotient M and then 
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Fig. 5. The original model M and quotient M = M/(G, Va) for the Kripke structures 
in Section 6.1. 


(N2eT2) (N1eT1) 


(N2@T2eC2) (7) (N2T2) (<1) (N1@T1@C1) (a) (N1eT1) (c2) 


Fig. 7. The mutual exclusion concurrent program extracted from M in Figure 6. 
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the lifting of the repair to the original structure M. Figure 9 shows the correct 
. EG p é p P ; 
(repaired) program P that is extracted from the repaired quotient in Figure 8. 
: DE: 
For N processes, the guard on actions of P; is Njzži Nj. 


6.3. No G-closed Repairs 


Consider the structure in Figure 10 and the formula f = AXAXAXP. The struc- 
ture M has a single initial state. Let G be the group consisting of the identity 
and the map swapping S1 and S2. In Figure 10 we see that the quotient struc- 
ture M/(G,Vq@) does not have any nonempty repairs with respect to f. But, M 
does contain a substructure M that satisfies f. 


7 Relative Completeness of Group Theoretic Repair 


By the Repair Correspondence (Theorem 3), the existence of a repair M of M 
implies the existence of a repair M of M. In Example 6.3, we gave an example 
in which a repair M of M exists but no G-closed repair does, i.e., M has no 
repairs. This leads us to ask: is there a fragment of CTL, and/or a class of Kripke 
structures, for which group theoretic repair is complete? That is, the existence 
of a repair (substructure M of M that satisfies y) implies the existence of a 
G-closed repair (substructure M of M that satisfies p). 

One attempt to answer this question is to examine formulae and structures 
where substructures are equivalent to the smallest G-closed substructure con- 
taining them. Assume there exists M < M such that M = y. Write NE for the 
smallest G-closed structure that contains M. We call MC the G-closure of M in 
M. If NG is bisimilar to M, then NE $ y and NC f ọ which is a substructure 
of M. 

In [14], Emerson et al., give a criteria for a structure M to be bisimilar to the 
symmetrized structure M“, their criteria is: for any transition (s,t) € (MF) 
there must be a g € G such that (s, gt) E€ Mr. When asking about substructures, 
it is not clear what criteria on M is needed to ensure that each substructure M 
of M is bisimilar to NS. 


Definition 14 (G-Repair Complete). Let M be a Kripke structure with a 
group of state mappings G and p a G-invariant CTL formula. Let N < M 
be any repair of M with respect to p, and let s be any state in Ns. Then the 
pair (M, p) is G-repair complete if: N,s = p implies for all g € G, we have 
NS, g(s) m pP: 


It is clear that propositional formulae are always G-repair complete. In ad- 
dition we note the following: 


Theorem 5. If p and w are purely propositional formulae then for any Kripke 
structure M, the pair (M,A|pRvw]) is G-repair complete. 


There exists structures M and y,w formulae such that (M,y) G-repair 
complete, and (M, y) G-repair complete, but (M, p ^y) not G-repair complete. 
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Fig. 8. The Kripke structure defined in Section 6.2. On the left is the repair of M and 
the lifting of the repair to M appears on the right. 


1 2 3 
(N2 & N3) (N1 & N3) (N1 & N2) 


Fig. 9. The repaired program PČ for the program in Section 6.2. 


SI as) 
6.) <—— + a.) 


Fig. 10. The models from Section 6.3 from left to right: the model M, the quotient of 
M, a repair of M with respect to f = AXAXAXP that is not G-closed. 
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Example 4. Let M be the Kripke structure described by Figure 11. Let G be the 
group of state mappings generated by swapping s1 and s2. Let y = A[pRq] and 
w = AF Æ q. The structure M has a nonempty G-closed repair for y. Similarly 
there is a single nonempty G-closed repair for Y. But M has no G-closed repairs 
of p ^y. 


Fig. 11. The Kripke Structure from Example 4 (note that (b, so) is a transition, while 
(b, r) is not) (left), G-closed repairs of M with respect to the formulae A[p R q] (center), 
and AF-q (right). 


8 Conclusions 


We present a theory of how group actions could be used to assist in the repair 
of a Kripke structure. 

We presented a theory for the substructures of a given Kripke structure 
M, their organization into lattices, and how these substructures interact with 
a group of state-mappings of M. We show a lattice isomorphism between 
substructure-repairs of M and G-maximal repairs of M (Theorem 3: Repair 
Correspondence). This monotone Galois correspondence guarantees that a re- 
pair of M lifts to a repair of M: that is to say that model repairs of M with 
respect to a G-invariant CTL formula ọ lift to model repairs of M with respect 
to y. Using this theory we were able to devise a method for repairing concurrent 
programs which exploits this correspondence, thus avoiding state explosion. We 
construct the quotient structure M directly from P without the need to con- 
struct the structure M. By our correspondence, repairing M will lift to a repair 
of the structure M, which in turn corresponds to a repair of P. We show how to 
construct a repair of P using the repair of M while circumventing the creation 
of the larger Kripke structure. 

A Kripke structure M that can be repaired with respect to a formulae ọ 
can be repaired via abstraction. However, not every repair of an abstracted 
structure M corresponds to a repair of M. In contrast, the structure might 
not be repairable using the quotient structure, but any repair of the quotient 
structure will lift to a repair of the original structure. 
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Abstract. We investigate concurrent two-player win/lose stochastic 
games on finite graphs with prefix-independent objectives. We charac- 
terize subgame optimal strategies and use this characterization to show 
various memory transfer results: 1) For a given (prefix-independent) ob- 
jective, if every game that has a subgame almost-surely winning strat- 
egy also has a positional one, then every game that has a subgame op- 
timal strategy also has a positional one; 2) Assume that the (prefix- 
independent) objective has a neutral color. If every turn-based game that 
has a subgame almost-surely winning strategy also has a positional one, 
then every game that has a finite-choice (notion to be defined) subgame 
optimal strategy also has a positional one. 

We collect or design examples to show that our results are tight in several 
ways. We also apply our results to Biichi, co-Bitichi, parity, mean-payoff 
objectives, thus yielding simpler statements. 


1 Introduction 


Turn-based two-player win/lose (stochastic) games on finite graphs have been 
intensively studied in the context of model checking in a broad sense [19,1]. These 
games behave well regarding optimality in various settings. Most importantly for 
this paper, [14] proved the following results for finite turn-based stochastic games 
with prefix-independent objectives: (1) every game has deterministic optimal 
strategies; (2) from every value-1 state, there is an optimal, i.e. almost-surely 
winning, strategy; (3) if from every value-1 state of every game there is an 
optimal strategy using some fixed amount of memory, every game has an optimal 
strategy using this amount of memory. These results are of either of the following 
generic forms: 


— In all games, (from all nice states) there is a nice strategy. 
— If from all nice states of all games there is a nice strategy, so it is from all 
states. 


The concurrent version of these turn-based (stochastic) games has a higher 
modeling power than the turn-based version: this is really useful in practice since 
real-world systems are intrinsically concurrent [15]. They are played on a finite 
graph as follows: at each player state, the two players stochastically and inde- 
pendently choose one among finitely many actions. This yields a Nature state, 
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which stochastically draws a next player state, from where each player chooses 
one action again, and so on. Each player state is labelled by a color, and who wins 
depends on the infinite sequence of colors underlying the (stochastically) gener- 
ated infinite sequence of player states. Unfortunately, these concurrent games do 
not behave well in general even for simple winning conditions and simple graph 
structures, like finite graphs: 


— Reachability objectives: there is a game without optimal strategies [13]; 

— Bichi objectives: there is a game with value 1 while all finite-memory strate- 
gies have value 0 [12]; 

— Co-Biichi objectives: although there are always positional -optimal strate- 
gies [8], there is a game with optimal strategies but without finite-memory 
optimal strategies [4]; 

— Parity [12] and mean-payoff [10] objectives: there is a game with subgame 
almost-surely-winning strategies, but where all finite-memory strategies have 
value 0. 


In this paper, we focus on concurrent stochastic finite games. Therefore, the 
generic forms of our results will be more complex, in order to take into account 
the above-mentioned discrepancies. They will somehow be given as generic state- 
ments as follows: 


— Every game that has a nice strategy also has a nicer one. 
— If all special games that have a nice strategy have a nicer one, so it is for all 
games. 


Much of the difficulty consists in fine-tuning the strength of “nice”, “nicer” and 
“special” above. We present below our main contributions on finite two-player 
win/lose concurrent stochastic games with prefix-independent objectives: 


1. We provide a characterization of subgame optimal strategies, which are 
strategies that are optimal after every history (Theorem 1): a Player A strat- 
egy is subgame optimal iff 1) it is locally optimal and 2) for every Player 
B deterministic strategy, after every history, if the visited states have the 
same positive value, Player A wins with probability 1. This characterization 
is used to prove all the results below. 

2. We prove memory transfer results from subgame almost-surely winning strate- 
gies to subgame optimal strategies: 

(a) Theorem 2: If every game that has a subgame almost-surely winning 
strategy also has a positional one, then every game that has a subgame 
optimal strategy also has a positional one. 

(b) Corollary 1: every Biichi or co-Biichi game that has a subgame optimal 
strategy has a positional one. (Whereas parity games may require infinite 
memory [12].) 

Note that the transfer result 2a can be generalized from positional to finite 

memory. 

3. We say that a strategy has finite-choice, if it uses only finitely many action 
distributions. Note that finite-memory (resp. deterministic) strategies clearly 
have finite choice. 
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(a) Theorem 4: In a given game, if there is a finite-choice optimal strategy, 
there is a finite-choice subgame optimal strategy. 

(b) Theorem 5: Assume that the objective has a neutral color. If every turn- 
based game that has a subgame almost-surely winning strategy also has a 
positional one, then every game that has a finite-choice subgame optimal 
strategy also has a positional one. 

(c) Corollary 2: every parity or mean-payoff game that has a finite-memory 
subgame optimal strategy also has a positional one. 

Note that 3a and 3b are false if the word finite-choice is removed [4]. The 

proof of 3b invokes 3a. Flavor (and proofs) of 3b and 2a are similar, but 

both premises and conclusions are weakened in 3b, as emphasized. 


Related works. A large part of this paper is dedicated to the extension to 
concurrent games of the results from [14] regarding the transfer of memory from 
almost-surely winning strategies to optimal strategies in turn-based games. Note 
that the proof technique used in [14] is different and could not be adapted to 
our more general setting. In their proof, both players agree on a preference over 
Nature states and play according to this preference. In our proof, we slice the 
graph into value areas (that is, sets of states with the same value), and show 
that it is sufficient to play an almost-sure winning strategy in each slice; we then 
glue these (partial) strategies together to get a subgame-optimal strategy over 
the whole graph. 

The slicing technique was already used in the context of concurrent games 
in [8]. The authors focus on parity objectives and establishes a memory transfer 
result from limit-sure winning strategies to almost-optimal strategies. As an 
application, they show that, for co-Btichi objectives, since positional strategies 
are sufficient to win limit-surely, they also are to win almost-optimally. Their 
construction made heavy use of the specific nature of parity objectives. 

We also mention [6], where the focus is also on concurrent games with prefix- 
independent objectives. In particular, the authors establish a (very useful) result: 
if all states have positive values, then they all have value 1. (Note that a strength- 
ening of this result is presented in this paper (Theorem 3), which also appears 
as an adaptation of a result proved in [14]). This result is then used in another 
context with non-zero-sum games. 

Finally, some recent works on concurrent games have been done in [2,3,4], 
where the goal is the following: local interactions of the two players in the player 
state are given by bi-dimensional tables; those tables can be abstracted as game 
forms, where (output) variables are issues of the local interaction (possibly sev- 
eral issues are labelled by the same variable). The goal of this series of works 
is to give (intrinsic) properties of these game forms, so that, when used in a 
graph game, the existence of optimal strategies is ensured. For instance, in [3], 
a property of games forms, called RM, is given, which ensures that, if one only 
uses RM game forms in a graph, then for every reachability objective, Player 
A will always have an optimal strategy for that objective. This property is a 
characterization of well-behaved game forms regarding reachability objectives 
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since every game form which is not RM can be embedded into a (small) graph 
game in such a way that Player A does not have an optimal strategy. This line 
of works really differs from the target of the current paper. 

Structure of the paper. Section 2 presents notations, Section 3 recalls the 
notion of game forms, Section 4 introduces our formalism, Section 5 exhibits 
a necessary and sufficient pair of conditions for subgame optimality, Section 6 
shows a memory transfer from subgame almost-surely winning to subgame opti- 
mal in concurrent games, and Section 7 adapts the results of the previous section 
to the case of the existence of a subgame finite-choice strategy. 

Detailed proofs and additional formal definitions are available in [5]. 


2 Preliminaries 


Consider a non-empty set Q. We denote by Q*, Q* and Q” the set of finite 
sequences, non-empty finite sequences and infinite sequences of elements of Q 
respectively. For n € N, we denote by Q” (resp. QS”) the set of sequences of 
(resp. at most) n elements of Q. For all p = q1 ++- dn E€ Q” and i < n, we denote 
by pi the element q; € Q and by p<; € Q? the finite sequence qı- --qi. For a 
subset S C Q, we denote by Q*-S” C Q“ the set of infinite paths that eventually 
settle in S and by (Q*-S)” C Q” the set of infinite paths visiting infinitely often 
the set S. 

A discrete probabilistic distribution over a non-empty finite set Q is a function 
u: Q — [0,1] such that seq u(x) = 1. The support Supp(j) of a probabilistic 
distribution u : Q — [0,1] is the set of non-zeros of the distribution: Supp(j) = 
{q € Q | u(q) € (0, 1]}. The set of all distributions over Q is denoted D(Q). 


3 Game forms 


We recall the definition of game forms — informally, bi-dimensional tables with 
variables — and of games in normal forms — game forms whose outcomes are 
values between 0 and 1. 


Definition 1 (Game form and game in normal form). A game form (GF 
for short) is a tuple F = (Acta, Actg, O, o) where Acta (resp. Actg) is the non- 
empty finite set of actions available to Player A (resp. B), O is a non-empty set 
of outcomes, and 9: Acta x Actg > O is a function that associates an outcome 
to each pair of actions. When the set of outcomes O is equal to [0,1], we say 
that F is a game in normal form. For a valuation v € [0,1]° of the outcomes, 
the notation (F,v) refers to the game in normal form (Acta, Acte, [0, 1],v o o). 


We use game forms to represent interactions between two players. The strategies 
available to Player A (resp. B) are convex combinations of actions given as the 
rows (resp. columns) of the table. In a game in normal form, Player A tries to 
maximize the outcome, whereas Player B tries to minimize it. 
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Definition 2 (Outcome of a game in normal form). Consider a game in 
normal form F = (Acta, Actg, [0,1], o). The set D(Acta) (resp. D(Actg)) is the 
set of strategies available to Player A (resp. B). For a pair of strategies (oa, oB) € 
D(Acta) x D(Actg), the outcome out (oa, oB) in F of the strategies (oa, oB) is 
defined as: out (oa, oB) := X acacta be Acty Tala) * 78 (b) - o(a, b) € [0, 1]. 


Definition 3 (Value of a game in normal form and optimal strategies). 
Consider a game in normal form F = (Acta, Actp, [0,1], 0) and a strategy on € 
D(Acta) for Player A. The value of the strategy on, denoted valz (oa) is equal 
to: val (oa) := infogepcactg) OUt (oa, oB), and analogously for Player B, with a 
sup instead of an inf. When supo eD(acta) YALE (oa) = infogeD(Actg) Vale (oB), it 
defines the value of the game F, denoted valF. 

A strategy oa E D(Acta) ensuring vals = valz (ca) is called optimal. The set 
of all optimal strategies for Player A is denoted Opt,(F) C D(Acta), and analo- 
gously for Player B. Von Neuman’s minimax theorem [20] ensures the existence 
of optimal strategies (for both players). 


In the following, strategies in games in normal forms will be called GF-strategies, 
in order not to confuse them with strategies in concurrent (graph) games. 


4 Concurrent games and optimal strategies 


4.1 Concurrent arenas and strategies 
We introduce the definition of concurrent arenas played on a finite graph. 


Definition 4 (Finite stochastic concurrent arena). A colored concurrent 
arena C is a tuple (Q,(Aq)qeq; (Ba)qeq, D, Ô, dist, K, col) where Q is the non- 
empty finite set of states, for allq E€ Q, Aq (resp. B,) is the non-empty finite set 
of actions available to Player A (resp. B) at state q, D is the finite set of Nature 
states, 6: U eo ({4} x Aq x Bq) > D is the transition function, dist : D + D(Q) 
is the distribution function. Furthermore, K is the non-empty finite set of colors 
and col: Q —> K is the coloring function. 


dist, K, col), unless otherwise stated. A concurrent game is obtained from a con- 
current arena by adding a winning condition: the set of infinite paths winning 
for Player A (and losing for Player B). 


In the following, the arena C will refer to the tuple (Q, (Aq)qeq, (Bq) qeq: D, ô, 


Definition 5 (Finite stochastic concurrent game). A finite concurrent 
game is a pair (C,W) where C is a finite concurrent colored arena and W C KY 
is Borel. The set W is called the objective, as it corresponds to the set of colored 
paths winning for Player A. 


In this paper, we only consider a specific kind of objectives: prefix-independent 
ones. Informally, they correspond to objectives W such that an infinite path p 
is in W if and only if any of its suffixes is in W. More formally: 
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Definition 6 (Prefix-independent objectives). For a non-empty finite set 
of colors K and W C K”, W is said to be prefix-independent (PI for short) if, 
for all p € K” andi>0, pEW S psi CW. 


In the following, we refer to concurrent games with prefix-independent objectives 
as PI concurrent games. 


Definition 7 (Parity, Biichi, co-Biichi objectives). Let K C N be a finite 
non-empty set of integers. Consider a concurrent arena C with K as set of col- 
ors. For an infinite path p E€ Q”, we denote by col(p)x. C N the set of colors 
seen infinitely often in p: col(p)o := {n E€ N | Vi € N, 3j > i, col(p;) = 
n}. Then, the parity objective w.r.t. col is the set WPa (col) := {p € QY | 
max col(p)o. is even }. The Büchi (resp. co-Büchi) objective correspond to the 
parity objective with K := {1,2} (resp. K := {0,1}). 


Strategies are then defined as functions that, given the history of the game 
(i.e. the sequence of states already seen) associate a distribution on the actions 
available to the Player. 


Definition 8 (Strategies). Consider a concurrent game C. A strategy for Player 
A is a function sa : Qt > D(A) with A := Uco Ag such that, for all p = 
qo`- qn E Qt, we have sa(p) € D(Aq,,). We denote by SA the set of all strate- 
gies in arena C for Player A. This is analogous for Player B. 


Given two strategies sa, Sg for both players in an arena C from a starting state 
qo, we define in the usual manner the probability PC 40 of a finite path which 
induces the probability of an arbitrary Borel subset of infinite paths. Values of 
strategies and of the game are defined below. 


Definition 9 (Value of strategies and of the game). Let G = (C,W) be a 
PI concurrent game and consider a strategy Sa € S for Player A. The function 
xglsa] : Q —> [0,1] giving the value of the strategy sa is such that, for all qo € 
Q, we have xglsa](qo) := inf... ese PE% [W]. The function xg[A] : Q > [0,1] 
giving the value for Player A: is such that, for all qo E€ Q, we have xg[A](qo) := 
sups,esa Xolsa] (qo). The function xg[B] : Q — [0,1] giving the value of the game 
for Player B is defined similarly by reversing the supremum and infimum. 

By Martin’s result on the determinacy of Blackwell games [17], for all con- 
current games G = (C,W), the value functions for both Players are equal, this 
defines the value function xg : Q — [0,1] of the game: xg := xg[A] = xg |B]. 


We define value areas: subsets of states whose values are the same. 


Definition 10 (Value area). In a PI concurrent game G, Vg refers to the 
set of values appearing in the game: Vg := {xglq] | q E€ Q}. Furthermore, for 
all u € Vg, Qu © Q refers to the set of states whose values are u w.r.t. Xg: 


Qu := {1 E Q | xg(q) = u}. 


In concurrent games, game forms appear at each state and describe the in- 
teractions of the players at that state. Furthermore, the valuation mapping each 
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state to its value in the game can be lifted, via a convex combination, into a 
valuation of the Nature states. This, in turn, induces a natural way to define the 
game in normal form appearing at each state. 


Definition 11 (Local interactions, Lifting valuations). In a PI concurrent 
game G where the valuation xg : Q — [0,1] gives the values of the game, the 
lift vg : D > [0,1] is such that, for all d € D, we have vg(d) := X` co Xg (4) > 
dist(d)(q) (recall that dist : D + D(Q) is the distribution function). 

Let q € Q. The local interaction at state q is the game form 
Fy = (Aq, Ba D, ô(q,:,:)). The game in normal form at state q is then Fot = 
(Fa, vg). 


The values of the game in normal form F H and of the state q are equal. 


Proposition 1. In a PI concurrent game G, for all states q E€ Q, we have 
Xg (q) = out zu. 


4.2 More on strategies 


In this subsection, we define several kinds of strategies. Let us fix a PI concurrent 
game G for the rest of this section. First, we consider optimal strategies, i.e. 
strategies realizing the value of the game. Strategies are positively-optimal if 
their values are positive from all states whose value is positive. 


Definition 12 ((Positively-) optimal strategies). A Player A strategy sa € 
Sé is (resp. positively-) optimal from a state q € Q if xg(q) = xglsa](q) (resp. 
if xg(q) > 0 => xglsa](q) > 0). It is (resp. positively-) optimal if this holds from 
all states q E€ Q. 


Note that the definition of optimal strategies we consider is sometimes referred 
to as uniform optimality, as it holds from every state of the game. However, it 
does not say anything about what happens once some sequence of states have 
been seen. We would like now to define a notion of strategy that is optimal from 
any point that can occur after any finite sequence of states has been seen. This 
correspond to subgame optimal strategies. To define them, we need to introduce 
the notion of residual strategy. 


Definition 13 (Residual and Subgame Optimal Strategies). For all finite 
sequences p € Q7, the residual strategy sh of a Player A strategy sa is the 
strategy sh : Qt —> D(A) such that, for alln € Q*, we have sh (T) := sa(p: 7). 

The Player A strategy sa is subgame optimal if, for all p = p' -q € QF, the 
residual strategy sh is optimal from q, i.e. xg[sa](q) = xg (4). 


Note that, in particular, subgame optimal strategies are optimal strategies. 
When such strategies do exist, we want them to be as simple as possible, for 
instance we want them to be positional, that is that they only depend on the 
current state of the game. 

As for Player B, we will consider a specific kind of strategies, namely deter- 
ministic strategies. That is because, once a Player A strategy is fixed we obtain 
an (infinite) MDP. In such a context, -optimal strategies can be chosen among 
deterministic strategies (see for instance the explanation in [9, Thm. 1]). 
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Definition 14 (Positional, Deterministic strategies). A Player A strategy 
sa is positional if, for all states q € Q and paths p € QT we have sa(p-q) = sa(q)- 

A Player B strategy sg is deterministic if, for all finite sequences p-q € QF, 
there exists b € By such that sp(p- q)(b) = 1. 


5 Necessary and sufficient condition for subgame 
optimality 


In this section, we present a necessary and sufficient pair of conditions for a 
Player A strategy to be subgame optimal, formally stated in Theorem 1. The 
arguments given here are somewhat similar to the ones given in Section 4 of [4], 
which deals with the same question restricted to positional strategies. 

The first condition is local: it specifies how a strategy behaves in the games in 
normal form at each local interaction of the game. As mentioned in Proposition 1, 
at each state q, the value of the game in normal form F. n is equal to the value 
of the state q (given by the valuation xg € [0,1]°). This suggests that, for all 
finite sequences of states p € Q* ending at that state q, the GF-strategy sa(p) 
needs to be optimal in the game in normal form Fe for the residual strategy sh 
to be optimal from q. Strategies with such a property are called locally optimal. 
This is a necessary condition for subgame optimality. (However, it is neither a 
necessary nor a sufficient condition for optimality, as argued in Section 6). 


Definition 15 (Locally optimal strategies). Consider a PI concurrent game 
G. A Player A strategy sa is locally optimal if, for all p = p'-q E€ Q*, the GF- 
strategy sa(p) is optimal in the game in normal form FM, That is — recalling 
that vg € [0,1] lifts the valuation yg € [0,1]° to the Nature states - for all 
b € Ba: xg(%) < Maca Sa(p)(@) -vg o (q, a, b) = out w (Sa(p), b) 


Lemma 1. In a PI concurrent game, subgame optimal strategies are locally op- 
timal. 


Note that this was already shown for positional strategies in [4]. 

Local optimality does not ensure subgame optimality in general. However, it 
does ensure that, for all Player B deterministic strategies, the game almost-surely 
eventually settles in a value area, i.e. in some Qu for some u € Vg. 


Lemma 2. Consider a PI concurrent game G and a Player A locally optimal 
strategy sa. For all Player B deterministic strategies, almost surely the states 
seen infinitely often have the same value. That is: P%58 lUuevg Q* - (Qu)*] = 1. 


Proof (Sketch). First, if a state of value 1 is reached (i.e. a state in Q1), then 
all states that can be seen with positive probability have value 1 (i.e. are in 
Qı), since the strategy sa is locally optimal. Let now u € Vg be the highest 
value in Vg that is not 1 and consider the set of infinite paths such that the 
set Qu is seen infinitely often but the game does not settle in it, i.e. the set 
(Q* -(Q\ Qu)” A(Q*- Qu)” C Q“. Since the strategy sa is locally optimal (and 
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since Vg is finite), one can show that there is a positive probability p > 0 such 
that, the conditional probability of reaching Qı knowing that Qu is left is at least 
p. Hence, if Qu is left infinitely often, almost-surely the set Q, is seen (and never 
left). It follows that the probability of the event (Q* - (Q \ Qu)” N (Q* - Qu)” 
is 0. This implies that, almost-surely, if the set Qu is seen infinitely often, then 
at some point it is never left. The same arguments can then be used with the 
highest value in Vg that is less than u, etc. Overall, we obtain that, for all u € Vg, 
if a set Qu is seen infinitely often, it is eventually never left almost-surely. 


Local optimality ensures that, at each step, the expected values of the states 
reached does not worsen (and may even improve if Player B does not play op- 
timally). By propagating this property, we obtain that, given a Player A locally 
optimal strategy and a Player B deterministic strategy, the convex combination 
of the values u in Vg weighted by the probability of settling in the value area 
Qu, from a state q is at least equal to its value yg(q). This is stated in Lemma 3 
below. 


Lemma 3. For a PI concurrent game G, a Player A locally optimal strategy 
sa, a Player B deterministic strategy sg and a state q E€ Q: xg(q) < Yuevg €: 
PI [Q* - (Qu)*]- 

Note that if Player B plays subgame optimally, then this inequality is an equality. 


Proof (Sketch). First, let us denote P§"* by P. It can be shown by induction that, 
for all i € N*, we have the property P(t) : xala) < Via-geg-qi Xod) P- q) = 
DueVg\ {0} u:P{[q-Q*-!-Q,]. Furthermore, since by Lemma 2, the game almost- 
surely settles in a value area, it can be shown that for n large enough, the 
probability of being in Qu after n steps (i.e. Plg-Q"~! - Qu]) is arbitrarily close 
to the probability of eventually settling in Qu (i.e. P[Q* - (Q.)”]). We can then 
apply P(n) to obtain the desired inequality. 


Recall that we are considering a pair of conditions to characterize that a 
strategy is subgame optimal. The first condition is local optimality. To summa- 
rize, we have seen that the fact that a strategy is locally optimal ensures that, 
from any state q, the expected values of the value areas where the game settles 
is at least xg(q). However, local optimality does not ensure anything as to the 
probability of W given that the game settles in a specific value area. This is 
where the second condition comes into play. For the explanations regarding this 
condition, we will need Lemma 4 below: a consequence of Levy’s 0-1 Law. 


Lemma 4. Let M be a countable Markov chain with a PI objective. If there is 
aq EQ such that xm(q) < 1, then infyecg xm(q') = 0. 


Consider now a Player A subgame optimal strategy są and a Player B determin- 
istic strategy. Let us consider what happens if the game eventually settles in Qu 
for some u € Vg \ {0}. Assume towards a contradiction that there is a finite path 
after which the probability of W given that the play eventually settles in Qu is 
less than 1. Then, there is a continuation of this path ending in Qu for which this 
probability of W is less than u. Indeed, it was shown that, for a PI objective, 
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in a countable Markov chain (which is what we obtain once strategies for both 
players are fixed), if there is a state with a value less than 1, then the infimum of 
the values in the Markov chain is 0 (this is what is stated in Lemma 4). Follow- 
ing our above towards-a-contradiction-assumption, there would be a finite path 
from which the Player A strategy sa is not optimal. This is in contradiction with 
the fact that it is subgame optimal. Hence, a second necessary condition — in 
addition to the local optimality assumption — for subgame optimality is: from 
all finite paths, for all Player B deterministic strategies, for all positive values 
u € Vg \ {0}, the probability of W and eventually settling in Qu is equal to the 
probability of eventually settling in Qu. We obtain the theorem below. 


Theorem 1. Consider a concurrent game G with a PI objective W and a Player 
A strategy sa € SA. The strategy sa is subgame optimal if and only if: 


— it is locally optimal; 
— for all p € Q*, for all Player B deterministic strategies sg, for all values 
u € Vg \ {0}, we have PIW N Q*- (Qu)*] = PB" [Q*  (Qu)*]. 


Proof (Sketch). Lemma 1 states that local optimality is necessary and we have 
informally argued above why the second condition is also necessary for subgame 
optimality. As for the fact that they are sufficient conditions, this is a direct 
consequence of Lemmas 2 and 3 and the fact that deterministic strategies can 
achieve the same values as arbitrary strategies in MDPs (which we obtain once 
a Player A strategy is fixed), as cited in Subsection 4.2. 


One may ask what happens in the special case where the strategy sa con- 
sidered is positional. As mentioned above, such a characterization was already 
presented in [4]'. Overall, we obtain a similar result except that the second condi- 
tion is replaced by what happens in the game restricted to the End Components 
in the Markov Decision Process induced by the positional strategy sa. 


6 From subgame almost-surely winning to subgame 
optimality 


In [14, Thm. 4.5], the authors have proved a transfer result in PI turn-based 
games: the amount of memory sufficient to play optimally in every state of 
value 1 of every game is also sufficient to play optimally in every game. This 
result does not hold on concurrent games as is. First, although there are always 
optimal strategies in PI turn-based games (as proved in the same paper [14, Thm. 
4.3]), there are PI concurrent games without optimal strategies. Second, infinite 
memory may be required to play optimally in co-Biichi concurrent games whereas 
almost-surely winning strategies can be found among positional strategies in a 
turn-based setting. This can be seen in the game of Figure 1 with col(qo) = 0 and 
col(q,) = col(q,) = 1. The green values in the local interaction at state go are the 


1 The proof was only presented for a specific class of objectives. 
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Fig. 3. A concur- 
rent game with 
Fig. 1. A co-Biichi game. Fig. 2. A parity game. Ag, = {a1, a2}. 


values of the game if they are reached (the game ends immediately). If a green 
value is not reached, the objective of Player A is to see only finitely often states 
qı and qi. It has already been argued in [4] that the value of this game is 1/2 and 
that there is an optimal strategy for Player A but it requires infinite memory. 
To play optimally, Player A must play the top row with probability 1 — £% and 
the middle row with probability €% for €% > 0 that goes (fast) to 0 when k goes 
to oo (where k denotes the number of steps). The € must be chosen so that, 
if Player B always plays the left column with probability 1, then the state qı 
is seen finitely often with probability 1. Furthermore, as soon as the state qj is 
visited, Player A switches to a positional strategy playing the bottom row with 
probability £}, small enough (where k denotes the number of steps before the 
state qi was seen) and the two top rows with probability (1 — ¢,,)/2. 

Hence, the transfer of memory from almost-surely winning to optimal does 
not hold in concurrent games even if it is assumed that optimal strategies exist. 
However, one can note that although the strategy described above is optimal, 
it is not subgame optimal. Indeed, when the strategy switches, the value of the 
residual strategy is 1/2—e}, < 1/2. In fact, there is no subgame optimal strategy 
in that game. Actually, if we assume that, not only optimal but subgame optimal 
strategies exist, then the transfer of memory will hold. 

The aim of this section is twofold: first, we identify a necessary and sufficient 
condition for the existence of subgame optimal strategies’. Second, we establish 
the above-mentioned memory transfer that relates the amount of memory to 
play subgame optimally and to be almost-surely winning. Before stating the 
main theorem of this section, let us first introduce the definition of positionally 
subgame almost-surely winnable objective, i.e. objectives for which subgame 
almost-surely winning strategies can be found among positional strategies. 


Definition 16 (Positionally subgame almost-surely winnable objective). 
Consider a PI objective W C K”. It is said to be a positionally subgame almost- 
surely winnable objective (PSAW for short) if the following holds: in all concur- 


? Note that this is different from what we did in the previous section: there, we es- 
tablished a necessary and sufficient condition for a specific strategy to be subgame 
optimal. Here, given a game, we consider necessary and sufficient conditions on the 
game for the existence of a subgame optimal strategy. 
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rent games G = (C,W) where there is a subgame almost-surely winning strategy, 
there is a positional one. 


Theorem 2. Consider a non-empty finite set of colors K and a PI objective 
OC W CKY. Consider a concurrent game G with objective W. Then, the three 
following assertions are equivalent: 


a. there exists a subgame optimal strategy; 
b. there exists an optimal strategy that is locally optimal; 
c. there exists a positively-optimal strategy that is locally optimal. 


Furthermore, if this holds and if the objective W is PSAW, then there exists a 
subgame optimal positional strategy. 


First, note that the equivalence is stated in terms of existence of strategies, not 
on the strategies themselves. In particular, any subgame optimal strategy is both 
optimal and locally optimal, however, an optimal strategy that is locally optimal 
is not necessarily a subgame optimal strategy. Second, it is straightforward that 
point a implies point b (from Theorem 1) and that point b implies point c (by 
definition of positively-optimal strategies). In the remainder of this section, we 
explain informally the constructions leading to the proof of this theorem, i.e. 
to the proof that point c implies point a. The transfer of memory is a direct 
consequence of the way this theorem is proven. We fix a PI concurrent game 
G = (C, W) for the rest of the section. 

The idea is as follows. As stated in Theorem 1, subgame optimal strategies 
are locally optimal and win the game almost-surely if the game settles in a value 
area Qu for some positive u € Vg \ {0}. Our idea is therefore to consider subgame 
almost-surely winning strategies in the derived game Gu: a “restriction” of the 
game G to Qu (more details will be given later). We can then glue together these 
subgame almost-surely winning strategies — defined for all u € Vg \ {0} — into a 
subgame optimal strategy. However, there are some issues: 


1. the state values in the game G, should be all equal to 1; 

2. furthermore, there must exist a subgame almost-surely winning strategy in 
Gu; 

3. this subgame almost-surely winning strategy in Gu should be locally optimal 
when considered in the whole game G. 


Note that the method we use here is different from what the authors of [14] did 
to prove the transfer of memory in turn-based games. 

Let us first deal with issue 3. One can ensure that the almost-surely winning 
strategies in the game Gu are all locally optimal in G by properly defining the 
game Gu. More specifically, this is done by enforcing that the only Player A 
possible strategies in Gu are locally optimal in the game G. To do so, we construct 
the game Gu whose state space is Qu (plus gadget states) but whose set of actions 
Ager, at a state q E€ Qu, is such that the set of strategies D(Ara) corresponds 


exactly to the set of optimal strategies in the original game in normal form FM, 
while keeping the set of actions A Fat for Player A finite. This is possible thanks 
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to Proposition 2 below: in every game in normal form FN at state q E€ Qu, there 
exists a finite set A Fat of optimal strategies such that the optimal strategies in 


q 
known result, argued for instance in [18]. 


F™ are exactly the convex combinations of strategies in Apo. This is a well 


Proposition 2. Consider a game in normal form F™ = (A, B,[0,1],6) with 
|A| =n and |B| =k. There exists a set Arw C Opta(F™) of optimal strategies 
such that |Apor| < n+k and D(Arw) = Opt,(F™). 


Proof (Sketch). One can write a system of n + k inequalities (with some addi- 
tional equalities) whose set of solutions is exactly the set of optimal GF-strategies 
Opt,(F™). The result then follows from standard system of inequalities argu- 
ments as the space of solutions is in fact a polytope with at most n+ k vertices. 


We illustrate this construction: a part of a concurrent game is depicted in 
Figure 3 and the change of the interaction of the players at state qo is depicted 
in Figures 4, 5, 6 and 7. 

The game Gu has the same objective W as the game G. Since we want all the 
states to have value 1 in G, (recall issue 1), we will build the game G, such that 
any edge leading to a state not in Qu in G now leads to a PI concurrent game 
Gw (with the same objective W) where all states have value 1. The game Gy is 
(for instance) a clique with all colors in K where Player A plays alone. 

An illustration of this construction can be found in Figures 8 and 9. The 
blue dotted arrows are the ones that need to be redirected when the game is 
changed. With such a definition, we have made some progress w.r.t. the issue 1 
cited previously (regarding the values being equal to 1): the values of all states 
of the game Gu are positive (for positive u). 


Lemma 5. Consider the game Gu for some positive u € Vg \ {0} and assume 
that, in G, there exists a positively-optimal strategy that is locally optimal. Then, 
for all states q in Gu, the value of the state q in Gu is positive: xg,,(q) > 0. 


Proof (Sketch). Consider a state q € Qu and a Player A locally optimal strategy 
sa in G that is positively-optimal from q. Then, the strategy sa (restricted to 
QŁ) can be seen as a strategy in Gu (it has to be defined in Gw, but this can 
done straightforwardly). Note that this is only possible because the strategy sa 
is locally optimal (due to the definition of Gu). For a Player B strategy sg in Gu, 
consider what happens with strategies sq and sg in both games G,, and G. Either 
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Fig. 8. The depiction of a PI concurrent Fig. 9. The PI concurrent game after the 
game with its value areas. modifications described above. 


the game stays indefinitely in Qu, and what happens in Gu and G is identical. 
Or it eventually leaves Q,,, leading to states of value 1 in Gu. Hence, the value of 
the game Gu from q with strategies sa and spg is at least the value of the game G 
from q with the same strategies. Thus, the value of the state q is positive in Gu. 


As it turns out, Lemma 5 suffices to deal with both issues 1 and 2 at the 
same time. Indeed, as stated in Theorem 3 below, it is a general result that in a 
PI concurrent game, if all states have positive values, then all states have value 
1 and there is a subgame almost-surely winning strategy. 


Theorem 3. Consider a PI concurrent game G and assume that all state values 
are greater than or equal to c > 0, i.e. for allq € Q, xg(q) > c. Then, there is 
a subgame almost-surely winning strategy in G. 


Remark 1. This theorem can be seen as a strengthening of Theorem 1 from [6]. 
Indeed, this Theorem 1 states that if all states have positive values, then they 
all have value 1 (this is then generalized to games with countably-many states). 
Theorem 3 is stronger since it ensures the existence of (subgame) almost-surely 
winning strategies. Although a detailed proof is provided in the complete version 
of this paper [5], note that this theorem was already stated and proven in [14] 
in the context of PI turn-based games. Nevertheless their arguments could have 
been used verbatim for concurrent games as well. In [5], we give a proof using 
the same construction (namely, reset strategies) but we argue differently why 
the construction proves the theorem. 


We can now glue together pieces of strategies s4 defined in all games Gu 
into a single strategy sa[(Sp,)weve\{o}]- Informally, the glued strategy mimics the 
strategy on Q% and switches strategy when a value area is left and another one 
is reached. 


Definition 17 (Gluing strategies). Consider a PI concurrent game G and 
for all values u € Vg \ {0}, a strategy sk in the game Gu. Then, we glue these 
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strategies into the strategy sal(SK)uevg\{o}] : Q7 > D(A) simply written sa such 
that, for all p ending at state q E€ Q: 


sa (p) := 


salT) if u = xg (q) > 0 for m the longest suffix of p in QJ 
is arbitrary if xglq)=0 


As stated in Lemma 6 below, the construction described in Definition 17 transfers 
almost-surely winning strategies in Gu into a subgame optimal strategy in G. 


Lemma 6. For allu € Vg\ {0}, let sx be a subgame almost-surely winning strat- 
egy in Gy. The glued strategy sal(Sx)weve\{o}], denoted sa, is subgame optimal 


in G. 


Proof (Sketch). We apply Theorem 1. First, the strategy sa is locally optimal 
in all Qu for u > 0 by the strategy restriction done to define the game Gu (only 
optimal strategies are considered at each game in normal form ce at states 
q € Qu). Furthermore, any strategy is optimal in a game in normal form of 
value 0 (which is the case of the game in normal forms of states in Qo). Second, 
if the game eventually settles in a value area Q, for some u > 0, from then on 
the strategy sa mimics the strategy sx, which is subgame almost-surely winning 
in Gu. Hence, the probability of W given that the game eventually settles in Qu 
is 1. This holds for all u € Vg \ {0}, so the second condition of Theorem 1 holds. 


We now have all the ingredients to prove Theorem 2. 


Proof (Of Theorem 2). We consider the PI concurrent game G and assume that 
there is a positively-optimal strategy that is locally optimal. Then, by Lemma 5, 
for all positive values u € Vg\ {0}, all states in G,, have positive values. It follows, 
by Theorem 3, that there exists a subgame almost-surely winning strategy in 
every game Gu for u € Vg \ {0}. We then obtain a subgame optimal strategy by 
gluing these strategies together, given by Lemma 6. 

The second part of the theorem, dealing with transfer of positionality from 
subgame almost-surely winning to subgame optimal follows from the fact that if 
all strategies s% are positional for all u € Vg \ {0}, then so is the glued strategy 


Sal(Sa)ueVg\ {0} ]- 


We now apply the result of Theorem 2 to two specific classes of objectives: 
Biichi and co-Biichi objectives. Note that this result is already known for Biichi 
objectives, proven in [4]. 


Corollary 1. Consider a concurrent game with a Büchi (resp. co-Biichi) objec- 
tive and assume that there is a positively-optimal strategy that is locally optimal. 
Then there is a subgame optimal positional strategy. 


Note that it is also possible to prove a memory transfer from subgame almost- 
surely winning to subgame optimal for an arbitrary memory skeleton, instead of 
only positional strategies. This adds only a few minor difficulties. 
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Application to the turn-based setting. The aim of Section 6 was to ex- 
tend an already existing result on turn-based games in the context of concurrent 
games. This required an adaptation of the assumptions. However, it is in fact 
possible to retrieve the original result on turn-based games from Theorem 2 in a 
fairly straightforward manner. It amounts to show that, in all finite turn-based 
games G, for all values u € Vg \ {0}, there is a locally optimal strategy that is 
positively-optimal from all states in Qu. 


7 Finite-choice strategies 


In this section, we introduce a new kind of strategies, namely finite-choice strate- 
gies. Let us first motivate why we consider such strategies. Consider again the 
co-Biichi game of Figure 1. Recall that the optimal strategy we described first 
plays the top row with increasing probability and the middle row with decreas- 
ing probability and then, once Player B plays the second column, switches to 
a positional strategy playing the bottom row with positive, yet small enough 
probability. Note that switching strategy is essential. Indeed, if Player A does 
not switch, Player B could at some point opt for the middle column and see in- 
definitely the state q with very high probability. In fact, what happens in that 
case is rather counter-intuitive: once Player B switches, there is infinitely often 
a positive probability to reach the outcome of value 1. However, the probability 
to ever reaching this outcome can be arbitrarily small, if Player B waits long 
enough before playing the middle row. This happens because the probability €x 
to visit that outcome goes (fast) to 0 when k goes to oo. In fact, such an optimal 
strategy has “infinite choice” in the sense that it may prescribe infinitely many 
different probability distribution. 

In this section, we consider finite-choice strategies, i.e. strategies that can use 
only finitely many GF-strategies at each state. 


Definition 18 (Finite-choice strategy). Let G be a concurrent game. A Player 
A strategy sa in G has finite choice if, for all q € Q, the set Si := {sa(p-@) | 
p E Q7} C D(A.) is finite. 


Note that positional (even finite-memory) and deterministic strategies are ex- 
amples of finite-choice strategies. 

Interestingly, we can link finite-choice strategies with the existence of sub- 
game optimal strategies. In general it does not hold that if there are optimal 
strategies, then there exists subgame optimal strategies (as exemplified in the 
game of Figure 1). However, in Theorem 4 below, we state that if we addition- 
ally assume that the optimal strategy considered has finite choice, then there is 
a subgame optimal strategy (that has also finite choice). 


Theorem 4. Consider a PI concurrent game G. If there is a finite-choice opti- 
mal strategy, then there is a finite-choice subgame optimal strategy. 


Proof (Sketch). Consider such an optimal finite-choice strategy sa. In particular, 
note that there is a constant c > 0 such that for all p-q € Q*, for alla € A, we 
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have: sa(p-q)(q) > 0 = sa(p - q)(q) > c. We build a subgame optimal strategy 
sh in the following way: for all p = p' -q € Qt, if the residual strategy sh is 
optimal, then s4 (p) := sa(p), otherwise s4 (p) := sa(q) (i.e. we reset the strategy). 
Straightforwardly, the strategy sh has finite choice. We want to apply Theorem 1 
to prove that it is subgame optimal. One can see that it is locally optimal (by the 
criterion chosen for resetting the strategy). Consider now some p € QT ending 
at state q E€ Q and another state q' € Q. Assume that the residual strategy 
sq is optimal but that the residual strategy ht is not. Then, similarly to why 
local optimality is necessary for subgame optimality (see Proposition 1), one can 
show that any Player B action b leading to q’ from p with positive probability 
is such that yg(q) < out» (sa (p), b). Hence, there is positive probability from 
p, if Player B opts for the action b, to reach a state of value different from 
u = xg(q). And if this happens infinitely often, a state of value different from 
u will be reached almost-surely®. In other words, if a value area is never left, 
almost-surely, the strategy s4 only resets finitely often. 

Consider now some p € QT, a Player B deterministic strategy sg and a value 
u € Vg \ {0}. From what we argued above, the probability of the event Q*-(Q.)” 
(resp. WNQ*-(Q,,)”) is the same if we intersect it with the fact that the strategy 
sh only resets finitely often. Furthermore, if the strategy does not reset anymore 
from some point on, and all states have the same value u > 0, then it follows 
that the probability of W is 1 (since W is PI). We can then conclude by applying 
Theorem 1. 


Finite-choice strategies are interesting for another reason. In the previous 
section, we applied the memory transfer from Theorem 2 to the Btichi and co- 
Butchi objectives. We did not apply it to other objectives — in particular to the 
parity objective. Indeed, in general, contrary to the case of turn-based games, 
infinite-memory is necessary to be almost-surely winning in parity games. This 
happens in Figure 2 (already described in [12]) where the objective of Player A 
is to see qı infinitely often, while seeing q2 only finitely often. Let us describe a 
Player A subgame almost-surely winning strategy. The top row is played with 
probability 1 — €% and the bottom row is played with probability ex > 0 with 
Ek going to 0 when k goes to oo (the (ep) used in the game in Figure 1 works 
here as well) where k denotes the number of times the state qo is seen. Such a 
strategy is subgame almost-surely winning and does not have finite choice. In 
fact, it can be shown that all Player A finite-choice strategies have value 0 in 
that game. 

Interestingly, the transfer of memory of Theorem 2 is adapted in Theorem 5 
with the memory that is sufficient in turn-based games — for those PI objectives 
that have a “neutral color”— if we additionally assume that the subgame opti- 
mal strategy considered has finite choice. First, let us define what is meant by 
“neutral color”, then we define the turn-based version of PSAW. 


3 This holds because the strategy sa has finite choice: the probability to see a state 
of different value is bounded below by the product of c and the smallest positive 
probability among all Nature states. 
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Definition 19 (Objective with a neutral color). Consider a set of colors K 
and a PI objective W C K*. It has a neutral color if there is some (neutral) color 
k € K such that, for all p = po-p1--: E K”, we have p E W & po-k-py-k--- EW. 


Definition 20 (PASW objective in turn-based games). Consider a PI ob- 
jective W C K“. It is positionally subgame almost-surely winnable in turn-based 
games (PSAWT for short) if in all turn-based games G = (C,W) where there is 


a subgame almost-surely winning strategy, there is a positional one. 


Theorem 5. Consider a PSAWT PI objective W C K® with a neutral color 
and a concurrent game G with objective W. Assume there is a subgame optimal 
strategy that has finite choice. Then, there is a positional one. 


Proof (Sketch). A finite-choice strategy sa plays only among a finite number of 
GF-strategies at each state. The idea is therefore to modify the game G, of the 
previous subsection into a game G/, by transforming it into a (finite) turn-based 
game. At each state, Player A chooses first her GF-strategy. She can choose 
among only a finite number of them: she has at her disposal, at a state q, only 
optimal GF-strategies in S$ (recall Definition 18). We consider the objective W 
in that new arena where Player B states are colored with a neutral color. The 
existence, in G, of a subgame optimal strategy that has finite choice ensures that 
all states in G’, have positive values. We can then conclude as for Theorem 2: a 
subgame optimal strategy can be obtained by gluing together subgame almost- 
surely winning strategies in the (turn-based) games G/, (that can be chosen 
positional by assumption). 


As an application, one can realize that the parity, mean-payoff and general- 
ized Biichi objectives have a neutral color and are PSAWT ({11,16,7]). Hence, for 
these objectives, if there exists an optimal strategy that has finite choice, then 
there is one that is positional. 


Corollary 2. Consider a concurrent game G with a parity (resp. mean-payoff, 
resp. generalized Biichi) objective. Assume that there is an optimal strategy that 
has finite choice in G. Then, there is a positional one. 
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source, provide a link to the Creative Commons license and indicate if changes were 
made. 

The images or other third party material in this chapter are included in the 
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your intended use is not permitted by statutory regulation or exceeds the permitted 
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